Gentoo Archives: gentoo-security

From: Tobias Klausmann <klausman@××××××××××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Wed, 08 Feb 2006 11:29:13
Message-Id: 20060208112230.GA32287@eric.schwarzvogel.de
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by Francois Toussenel
Hi! 

On Tue, 07 Feb 2006, Francois Toussenel wrote:

> On Sun, 5 Feb 2006 13:29:55 +0100 Tobias Klausmann <klausman@××××××××××××.de> wrote: > > > Which *should* make iptables start before net.* (maybe except > > net.lo). And sure enough, the boot sequence is: > > This depends on the runlevels in which you have iptables and net.eth0. > Could you please post the output of the following command? > > # rc-update show | grep 'iptables\|net\.' > > By having iptables in boot and net.eth0 in default, iptables starts > before net.eth0, but it also stops before services and of course > net.eth0. Does somebody know a setting to avoid that?
I'm using the defaults for both (i.e. I did what's in the install handbook): $ rc-update show | grep 'iptables\|net\.' iptables | default net.eth0 | default net.lo | boot I really don't understand what happened on the original poster's machine. My (wild) guess is, that somehow parallel startip messed it up, but that would be a bug in the parallel startip code.
> (I would add that one might want to never respond to pings, for > instance, so starting iptables between net.eth0 and services seems not > enough.)
Why (outside of s specific attack in that area) would one *not* respond to pings? Outside from a specific attack in that area happening, I see no reason to do so. Regards, Tobias -- You don't need eyes to see, you need vision. -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] iptables window of opportunity at startup Oliver Schad <o.schad@×××.de>