Gentoo Archives: gentoo-security

From: "Mariusz Pękala" <skoot@××.pl>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Sat, 04 Feb 2006 22:58:05
Message-Id: 20060204225113.GB10095@cthulhu.sdi.tpnet.pl
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by Graham Murray
On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote:
> Jon Mitchell <junk@×××××××.uk> writes: > > > The current behaviour of a default Gentoo install is to load iptables > > after the network has been initialised. Upon shutting down likewise > > iptables is shutdown then the network interface. This strikes me as > > presenting a window of opportunity when the computer is exposed without > > iptables, albeit a small one. > > > > Do people on this list think there is any value in re-arranging this > > order by default? > > The problem with doing the other way is that iptables rules can > reference the specific interfaces to which the rule applies. This will > (AFAIK) fail if the interface does not exist when the rule is > created. Therefore iptables has to be started after the network.
AFAIK that would not happen. You may set a rule for non-existing interface and iptables will not fail. If you do have two eth interfaces, try to set a rule for eth4 - you will see (I hope) no error. I saw none. I would vote for starting firewall before network, having my humble opinion on that topic. :-) -- No virus found in this outgoing message. Checked by "grep -i virus $MESSAGE" Trust me.

Replies

Subject Author
Re: [gentoo-security] iptables window of opportunity at startup Matt Drew <matt.drew@×××××.com>