List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
-----BEGIN PGP SIGNED MESSAGE-----
Running a 2 stage iptables (drop all, start devices, set allow rules)
sounds like a good idea to me.
That would not be the most paranoid security measure I have seen.
Graham Murray wrote:
> Jon Mitchell <junk@...> writes:
>> The current behaviour of a default Gentoo install is to load iptables
>> after the network has been initialised. Upon shutting down likewise
>> iptables is shutdown then the network interface. This strikes me as
>> presenting a window of opportunity when the computer is exposed without
>> iptables, albeit a small one.
>> Do people on this list think there is any value in re-arranging this
>> order by default?
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.
> The other alternative is to have a 2-stage iptables
> initialisation. The first stage being run and setting the INPUT and
> FORWARD table policies to DROP (and it may also be necessary to set
> some rules to all the lo interface, I am not sure). The second stage
> being run after the network interfaces are configured and setting the
> actual rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
email@example.com mailing list