Gentoo Archives: gentoo-security

From: Graham Murray <graham@×××××××××××.uk>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Sat, 04 Feb 2006 13:20:18
Message-Id: 877j8bb74p.fsf@newton.gmurray.org.uk
In Reply to: [gentoo-security] iptables window of opportunity at startup by Jon Mitchell
Jon Mitchell <junk@×××××××.uk> writes:

> The current behaviour of a default Gentoo install is to load iptables > after the network has been initialised. Upon shutting down likewise > iptables is shutdown then the network interface. This strikes me as > presenting a window of opportunity when the computer is exposed without > iptables, albeit a small one. > > Do people on this list think there is any value in re-arranging this > order by default?
The problem with doing the other way is that iptables rules can reference the specific interfaces to which the rule applies. This will (AFAIK) fail if the interface does not exist when the rule is created. Therefore iptables has to be started after the network. The other alternative is to have a 2-stage iptables initialisation. The first stage being run and setting the INPUT and FORWARD table policies to DROP (and it may also be necessary to set some rules to all the lo interface, I am not sure). The second stage being run after the network interfaces are configured and setting the actual rules. -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] iptables window of opportunity at startup "Mariusz Pękala" <skoot@××.pl>
Re: [gentoo-security] iptables window of opportunity at startup Steven Sennebogen <ssenne1@×××.edu>