Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Steven Sennebogen <ssenne1@...>
Subject: Re: iptables window of opportunity at startup
Date: Sat, 04 Feb 2006 10:34:59 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Running a 2 stage iptables (drop all, start devices, set allow rules)
sounds like a good idea to me.
That would not be the most paranoid security measure I have seen.


Graham Murray wrote:
> Jon Mitchell <junk@...> writes:
>
>> The current behaviour of a default Gentoo install is to load iptables
>> after the network has been initialised. Upon shutting down likewise
>> iptables is shutdown then the network interface. This strikes me as
>> presenting a window of opportunity when the computer is exposed without
>> iptables, albeit a small one.
>>
>> Do people on this list think there is any value in re-arranging this
>> order by default?
>
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.
>
> The other alternative is to have a 2-stage iptables
> initialisation. The first stage being run and setting the INPUT and
> FORWARD table policies to DROP (and it may also be necessary to set
> some rules to all the lo interface, I am not sure). The second stage
> being run after the network interfaces are configured and setting the
> actual rules.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD5NeyNt5PwLTPsH0RAl0HAKCKgYq054s8nxwTwVLh8F3BL7kceACghKZc
h7T//JahSNdsY66t3WBiReA=
=Ftuh
-----END PGP SIGNATURE-----

-- 
gentoo-security@g.o mailing list


References:
iptables window of opportunity at startup
-- Jon Mitchell
Re: iptables window of opportunity at startup
-- Graham Murray
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: iptables window of opportunity at startup
Next by thread:
Re: iptables window of opportunity at startup
Previous by date:
Re: iptables window of opportunity at startup
Next by date:
Re: iptables window of opportunity at startup


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.