Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Jon Mitchell <junk@...>
Subject: Re: iptables window of opportunity at startup
Date: Sun, 05 Feb 2006 08:24:09 +0000
On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> > The current behaviour of a default Gentoo install is to load
iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed
> > without iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
> 
> No this doesn't offers a hole, when no service is running and routing
is 
> deactivated. So all services have to be started after iptables rules. 
> Same for routing.

But this isn't quite what happens by default. Starting up I seem to get
the network, then http-replicator, then iptables. Shutting down is
worse: First iptables is turned off, then ntpd, sshd, http-replicator,
"unmounting network file systems", then the network. So if there were a
problem in these services they would be exposed.

How do you control the order that programs are shutdown in gentoo?

> Iptables doesn't have to protect the TCP/IP stack but a network
behind 
> the host or services on that host.

Could the network behind the host also be exposed in this small window?
If you had a firewall machine (two interfaces and packet forwarding)
without its firewall?

> Best regards
> Oli

Thanks,
 Jon



-- 
gentoo-security@g.o mailing list


Replies:
Re: iptables window of opportunity at startup
-- Oliver Schad
Re: iptables window of opportunity at startup
-- Oliver Schad
Re: iptables window of opportunity at startup
-- Tobias Klausmann
References:
iptables window of opportunity at startup
-- Jon Mitchell
Re: iptables window of opportunity at startup
-- Oliver Schad
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: iptables window of opportunity at startup
Next by thread:
Re: iptables window of opportunity at startup
Previous by date:
Re: iptables window of opportunity at startup
Next by date:
Re: iptables window of opportunity at startup


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.