Gentoo Archives: gentoo-security

From: Jon Mitchell <junk@×××××××.uk>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Sun, 05 Feb 2006 08:29:29
Message-Id: 1139127849.9183.11.camel@hornbeam.arboretum
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by Oliver Schad
On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell: > > The current behaviour of a default Gentoo install is to load
iptables
> > after the network has been initialised. Upon shutting down likewise > > iptables is shutdown then the network interface. This strikes me as > > presenting a window of opportunity when the computer is exposed > > without iptables, albeit a small one. > > > > Do people on this list think there is any value in re-arranging this > > order by default? > > No this doesn't offers a hole, when no service is running and routing
is
> deactivated. So all services have to be started after iptables rules. > Same for routing.
But this isn't quite what happens by default. Starting up I seem to get the network, then http-replicator, then iptables. Shutting down is worse: First iptables is turned off, then ntpd, sshd, http-replicator, "unmounting network file systems", then the network. So if there were a problem in these services they would be exposed. How do you control the order that programs are shutdown in gentoo?
> Iptables doesn't have to protect the TCP/IP stack but a network
behind
> the host or services on that host.
Could the network behind the host also be exposed in this small window? If you had a firewall machine (two interfaces and packet forwarding) without its firewall?
> Best regards > Oli
Thanks, Jon -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] iptables window of opportunity at startup Oliver Schad <oliver.schad@×××××××××××.com>
Re: [gentoo-security] iptables window of opportunity at startup Tobias Klausmann <klausman@××××××××××××.de>
Re: [gentoo-security] iptables window of opportunity at startup Oliver Schad <oliver.schad@×××××××××××.com>