1 |
It is also my experience that iptables will make rules for |
2 |
non-existent interfaces with no problems. It may be that you are |
3 |
seeing the behavior that was modified as a result of bug 78495: |
4 |
|
5 |
https://bugs.gentoo.org/show_bug.cgi?id=78495 |
6 |
|
7 |
Hotplug made things a little tougher, because of its tendency to bring |
8 |
up the interface when the module is loaded. There was some discussion |
9 |
of this in bugzilla and a decision was made to make it configurable. |
10 |
The interface coming up on hotplug was desired behavior by some users, |
11 |
particularly in regard to wireless interfaces. |
12 |
|
13 |
Admittedly the window is small and not likely to be of use, but it |
14 |
seems silly to leave it open when it isn't necessary. |
15 |
|
16 |
On 2/4/06, Mariusz Pêkala <skoot@××.pl> wrote: |
17 |
> On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote: |
18 |
> > Jon Mitchell <junk@×××××××.uk> writes: |
19 |
> > |
20 |
> > > The current behaviour of a default Gentoo install is to load iptables |
21 |
> > > after the network has been initialised. Upon shutting down likewise |
22 |
> > > iptables is shutdown then the network interface. This strikes me as |
23 |
> > > presenting a window of opportunity when the computer is exposed without |
24 |
> > > iptables, albeit a small one. |
25 |
> > > |
26 |
> > > Do people on this list think there is any value in re-arranging this |
27 |
> > > order by default? |
28 |
> > |
29 |
> > The problem with doing the other way is that iptables rules can |
30 |
> > reference the specific interfaces to which the rule applies. This will |
31 |
> > (AFAIK) fail if the interface does not exist when the rule is |
32 |
> > created. Therefore iptables has to be started after the network. |
33 |
> |
34 |
> AFAIK that would not happen. |
35 |
> You may set a rule for non-existing interface and iptables will not |
36 |
> fail. If you do have two eth interfaces, try to set a rule for eth4 - |
37 |
> you will see (I hope) no error. I saw none. |
38 |
> |
39 |
> I would vote for starting firewall before network, having my humble |
40 |
> opinion on that topic. :-) |
41 |
> |
42 |
> |
43 |
> -- |
44 |
> No virus found in this outgoing message. |
45 |
> Checked by "grep -i virus $MESSAGE" |
46 |
> Trust me. |
47 |
> |
48 |
> |
49 |
> |
50 |
|
51 |
-- |
52 |
gentoo-security@g.o mailing list |