Gentoo Archives: gentoo-security

From: Oliver Schad <oliver.schad@×××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Thu, 09 Feb 2006 14:02:35
Message-Id: 43EB4916.4060308@communology.com
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by Jon Mitchell
1 Jon Mitchell wrote:
2 > On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
3 >> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
4 >> > The current behaviour of a default Gentoo install is to load
5 > iptables
6 >> > after the network has been initialised. Upon shutting down likewise
7 >> > iptables is shutdown then the network interface. This strikes me as
8 >> > presenting a window of opportunity when the computer is exposed
9 >> > without iptables, albeit a small one.
10 >> >
11 >> > Do people on this list think there is any value in re-arranging this
12 >> > order by default?
13 >>
14 >> No this doesn't offers a hole, when no service is running and routing
15 > is
16 >> deactivated. So all services have to be started after iptables rules.
17 >> Same for routing.
18 >
19 > But this isn't quite what happens by default. Starting up I seem to get
20 > the network, then http-replicator, then iptables.
21
22 I reproduced this problem.
23 Solution:
24 Add iptables for correct startup to runlevel *boot* and change
25 dependency from
26
27 depend() {
28 before net
29 use logger
30 }
31
32 to
33
34 depend() {
35 before net
36 }
37
38 Changing runlevel does iptables start up at correct position, changing
39 dependency lets iptables stop at correct position.
40
41 Regards
42 Oli
43 --
44 gentoo-security@g.o mailing list