List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Jon Mitchell <junk@...> writes:
> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed without
> iptables, albeit a small one.
> Do people on this list think there is any value in re-arranging this
> order by default?
The problem with doing the other way is that iptables rules can
reference the specific interfaces to which the rule applies. This will
(AFAIK) fail if the interface does not exist when the rule is
created. Therefore iptables has to be started after the network.
The other alternative is to have a 2-stage iptables
initialisation. The first stage being run and setting the INPUT and
FORWARD table policies to DROP (and it may also be necessary to set
some rules to all the lo interface, I am not sure). The second stage
being run after the network interfaces are configured and setting the
email@example.com mailing list