1 |
On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote: |
2 |
> Jon Mitchell <junk@×××××××.uk> writes: |
3 |
> |
4 |
> > The current behaviour of a default Gentoo install is to load iptables |
5 |
> > after the network has been initialised. Upon shutting down likewise |
6 |
> > iptables is shutdown then the network interface. This strikes me as |
7 |
> > presenting a window of opportunity when the computer is exposed without |
8 |
> > iptables, albeit a small one. |
9 |
> > |
10 |
> > Do people on this list think there is any value in re-arranging this |
11 |
> > order by default? |
12 |
> |
13 |
> The problem with doing the other way is that iptables rules can |
14 |
> reference the specific interfaces to which the rule applies. This will |
15 |
> (AFAIK) fail if the interface does not exist when the rule is |
16 |
> created. Therefore iptables has to be started after the network. |
17 |
|
18 |
AFAIK that would not happen. |
19 |
You may set a rule for non-existing interface and iptables will not |
20 |
fail. If you do have two eth interfaces, try to set a rule for eth4 - |
21 |
you will see (I hope) no error. I saw none. |
22 |
|
23 |
I would vote for starting firewall before network, having my humble |
24 |
opinion on that topic. :-) |
25 |
|
26 |
|
27 |
-- |
28 |
No virus found in this outgoing message. |
29 |
Checked by "grep -i virus $MESSAGE" |
30 |
Trust me. |