1 |
Jon Mitchell <junk@×××××××.uk> writes: |
2 |
|
3 |
> The current behaviour of a default Gentoo install is to load iptables |
4 |
> after the network has been initialised. Upon shutting down likewise |
5 |
> iptables is shutdown then the network interface. This strikes me as |
6 |
> presenting a window of opportunity when the computer is exposed without |
7 |
> iptables, albeit a small one. |
8 |
> |
9 |
> Do people on this list think there is any value in re-arranging this |
10 |
> order by default? |
11 |
|
12 |
The problem with doing the other way is that iptables rules can |
13 |
reference the specific interfaces to which the rule applies. This will |
14 |
(AFAIK) fail if the interface does not exist when the rule is |
15 |
created. Therefore iptables has to be started after the network. |
16 |
|
17 |
The other alternative is to have a 2-stage iptables |
18 |
initialisation. The first stage being run and setting the INPUT and |
19 |
FORWARD table policies to DROP (and it may also be necessary to set |
20 |
some rules to all the lo interface, I am not sure). The second stage |
21 |
being run after the network interfaces are configured and setting the |
22 |
actual rules. |
23 |
-- |
24 |
gentoo-security@g.o mailing list |