Gentoo Archives: gentoo-security

From: Steven Sennebogen <ssenne1@×××.edu>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Sat, 04 Feb 2006 16:44:32
Message-Id: 43E4D7B3.1000403@uic.edu
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by Graham Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Running a 2 stage iptables (drop all, start devices, set allow rules)
sounds like a good idea to me.
That would not be the most paranoid security measure I have seen.


Graham Murray wrote:
> Jon Mitchell <junk@×××××××.uk> writes: > >> The current behaviour of a default Gentoo install is to load iptables >> after the network has been initialised. Upon shutting down likewise >> iptables is shutdown then the network interface. This strikes me as >> presenting a window of opportunity when the computer is exposed without >> iptables, albeit a small one. >> >> Do people on this list think there is any value in re-arranging this >> order by default? > > The problem with doing the other way is that iptables rules can > reference the specific interfaces to which the rule applies. This will > (AFAIK) fail if the interface does not exist when the rule is > created. Therefore iptables has to be started after the network. > > The other alternative is to have a 2-stage iptables > initialisation. The first stage being run and setting the INPUT and > FORWARD table policies to DROP (and it may also be necessary to set > some rules to all the lo interface, I am not sure). The second stage > being run after the network interfaces are configured and setting the > actual rules.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD5NeyNt5PwLTPsH0RAl0HAKCKgYq054s8nxwTwVLh8F3BL7kceACghKZc h7T//JahSNdsY66t3WBiReA= =Ftuh -----END PGP SIGNATURE----- -- gentoo-security@g.o mailing list