Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> > The current behaviour of a default Gentoo install is to load
iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed
> > without iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
>
> No this doesn't offers a hole, when no service is running and routing
is
> deactivated. So all services have to be started after iptables rules.
> Same for routing.
But this isn't quite what happens by default. Starting up I seem to get
the network, then http-replicator, then iptables. Shutting down is
worse: First iptables is turned off, then ntpd, sshd, http-replicator,
"unmounting network file systems", then the network. So if there were a
problem in these services they would be exposed.
How do you control the order that programs are shutdown in gentoo?
> Iptables doesn't have to protect the TCP/IP stack but a network
behind
> the host or services on that host.
Could the network behind the host also be exposed in this small window?
If you had a firewall machine (two interfaces and packet forwarding)
without its firewall?
> Best regards
> Oli
Thanks,
Jon
--
gentoo-security@g.o mailing list
|
|
