| 1 |
On Thu, 2002-04-18 at 00:44, monkey wrote: |
| 2 |
> ... how can I get something installed in /usr/sbin? This will probably |
| 3 |
> open up a can of worms, but here I go. I want to change the ebuild for |
| 4 |
> iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that |
| 5 |
> it is more FHS-compliant since the reasoning in the ebuild states that |
| 6 |
> things were moved back to /sbin and /lib to help people with netmounted |
| 7 |
> /usr systems get things working properly. I take exception to that on two |
| 8 |
> points: one, iptables is firewalling code and nothing more, and two, no |
| 9 |
> firewall should have netmounted systems. The FHS recommends keeping / as |
| 10 |
> free of things as possible. Only applications needed to repair filesystems |
| 11 |
> and get simple communication going are recommended for install in /. Since |
| 12 |
> no firewall should have any netmounted filesystems, I don't see the |
| 13 |
> validity in the argument for moving everything into /sbin and /lib. |
| 14 |
> However, changing the ebuild to fix this results in a "sandbox violation" |
| 15 |
> and the emerge fails. So, how can I bypass the sandbox for my iptables |
| 16 |
> install? This is not a swipe at the maintainer, I just have a different |
| 17 |
> opinion of where I want my userspace firewall code to live. Thanks for any |
| 18 |
> pointers. |
| 19 |
> |
| 20 |
> geoffrey |
| 21 |
|
| 22 |
Now that's silly. You say that system that uses NFS does not need a |
| 23 |
firewall? Wow ;). While iptables is a firewalling code it is not for a |
| 24 |
"pure firewall" systems only. Pretty much every system should install at |
| 25 |
least basic firewall, unless it's in a highly secure and trusted |
| 26 |
environment with a good external firewall. And firewall should be |
| 27 |
installed _before_ network comes up, so that there's no potential |
| 28 |
opportunity window for an attack. That's why it should go to /sbin. |
| 29 |
And this _is_ FHS compliant. |
| 30 |
|
| 31 |
/Vitaly. |
Archives