1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Running a 2 stage iptables (drop all, start devices, set allow rules) |
5 |
sounds like a good idea to me. |
6 |
That would not be the most paranoid security measure I have seen. |
7 |
|
8 |
|
9 |
Graham Murray wrote: |
10 |
> Jon Mitchell <junk@×××××××.uk> writes: |
11 |
> |
12 |
>> The current behaviour of a default Gentoo install is to load iptables |
13 |
>> after the network has been initialised. Upon shutting down likewise |
14 |
>> iptables is shutdown then the network interface. This strikes me as |
15 |
>> presenting a window of opportunity when the computer is exposed without |
16 |
>> iptables, albeit a small one. |
17 |
>> |
18 |
>> Do people on this list think there is any value in re-arranging this |
19 |
>> order by default? |
20 |
> |
21 |
> The problem with doing the other way is that iptables rules can |
22 |
> reference the specific interfaces to which the rule applies. This will |
23 |
> (AFAIK) fail if the interface does not exist when the rule is |
24 |
> created. Therefore iptables has to be started after the network. |
25 |
> |
26 |
> The other alternative is to have a 2-stage iptables |
27 |
> initialisation. The first stage being run and setting the INPUT and |
28 |
> FORWARD table policies to DROP (and it may also be necessary to set |
29 |
> some rules to all the lo interface, I am not sure). The second stage |
30 |
> being run after the network interfaces are configured and setting the |
31 |
> actual rules. |
32 |
|
33 |
-----BEGIN PGP SIGNATURE----- |
34 |
Version: GnuPG v1.4.2 (GNU/Linux) |
35 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
36 |
|
37 |
iD8DBQFD5NeyNt5PwLTPsH0RAl0HAKCKgYq054s8nxwTwVLh8F3BL7kceACghKZc |
38 |
h7T//JahSNdsY66t3WBiReA= |
39 |
=Ftuh |
40 |
-----END PGP SIGNATURE----- |
41 |
|
42 |
-- |
43 |
gentoo-security@g.o mailing list |