1 |
On Thu, 2002-04-18 at 00:44, monkey wrote: |
2 |
> ... how can I get something installed in /usr/sbin? This will probably |
3 |
> open up a can of worms, but here I go. I want to change the ebuild for |
4 |
> iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that |
5 |
> it is more FHS-compliant since the reasoning in the ebuild states that |
6 |
> things were moved back to /sbin and /lib to help people with netmounted |
7 |
> /usr systems get things working properly. I take exception to that on two |
8 |
> points: one, iptables is firewalling code and nothing more, and two, no |
9 |
> firewall should have netmounted systems. The FHS recommends keeping / as |
10 |
> free of things as possible. Only applications needed to repair filesystems |
11 |
> and get simple communication going are recommended for install in /. Since |
12 |
> no firewall should have any netmounted filesystems, I don't see the |
13 |
> validity in the argument for moving everything into /sbin and /lib. |
14 |
> However, changing the ebuild to fix this results in a "sandbox violation" |
15 |
> and the emerge fails. So, how can I bypass the sandbox for my iptables |
16 |
> install? This is not a swipe at the maintainer, I just have a different |
17 |
> opinion of where I want my userspace firewall code to live. Thanks for any |
18 |
> pointers. |
19 |
> |
20 |
> geoffrey |
21 |
|
22 |
Now that's silly. You say that system that uses NFS does not need a |
23 |
firewall? Wow ;). While iptables is a firewalling code it is not for a |
24 |
"pure firewall" systems only. Pretty much every system should install at |
25 |
least basic firewall, unless it's in a highly secure and trusted |
26 |
environment with a good external firewall. And firewall should be |
27 |
installed _before_ network comes up, so that there's no potential |
28 |
opportunity window for an attack. That's why it should go to /sbin. |
29 |
And this _is_ FHS compliant. |
30 |
|
31 |
/Vitaly. |