Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Graham Murray <graham@...>
Subject: Re: iptables window of opportunity at startup
Date: Sat, 04 Feb 2006 13:12:06 +0000
Jon Mitchell <junk@...> writes:

> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed without
> iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

The problem with doing the other way is that iptables rules can
reference the specific interfaces to which the rule applies. This will
(AFAIK) fail if the interface does not exist when the rule is
created. Therefore iptables has to be started after the network.

The other alternative is to have a 2-stage iptables
initialisation. The first stage being run and setting the INPUT and
FORWARD table policies to DROP (and it may also be necessary to set
some rules to all the lo interface, I am not sure). The second stage
being run after the network interfaces are configured and setting the
actual rules.
-- 
gentoo-security@g.o mailing list


Replies:
Re: iptables window of opportunity at startup
-- Mariusz Pękala
Re: iptables window of opportunity at startup
-- Steven Sennebogen
References:
iptables window of opportunity at startup
-- Jon Mitchell
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
iptables window of opportunity at startup
Next by thread:
Re: iptables window of opportunity at startup
Previous by date:
iptables window of opportunity at startup
Next by date:
Re: iptables window of opportunity at startup


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.