Gentoo Archives: gentoo-security

From: Matt Drew <matt.drew@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] iptables window of opportunity at startup
Date: Sun, 05 Feb 2006 01:23:38
In Reply to: Re: [gentoo-security] iptables window of opportunity at startup by "Mariusz Pękala"
It is also my experience that iptables will make rules for
non-existent interfaces with no problems.  It may be that you are
seeing the behavior that was modified as a result of bug 78495:

Hotplug made things a little tougher, because of its tendency to bring
up the interface when the module is loaded.  There was some discussion
of this in bugzilla and a decision was made to make it configurable.
The interface coming up on hotplug was desired behavior by some users,
particularly in regard to wireless interfaces.

Admittedly the window is small and not likely to be of use, but it
seems silly to leave it open when it isn't necessary.

On 2/4/06, Mariusz Pêkala <skoot@××.pl> wrote:
> On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote: > > Jon Mitchell <junk@×××××××.uk> writes: > > > > > The current behaviour of a default Gentoo install is to load iptables > > > after the network has been initialised. Upon shutting down likewise > > > iptables is shutdown then the network interface. This strikes me as > > > presenting a window of opportunity when the computer is exposed without > > > iptables, albeit a small one. > > > > > > Do people on this list think there is any value in re-arranging this > > > order by default? > > > > The problem with doing the other way is that iptables rules can > > reference the specific interfaces to which the rule applies. This will > > (AFAIK) fail if the interface does not exist when the rule is > > created. Therefore iptables has to be started after the network. > > AFAIK that would not happen. > You may set a rule for non-existing interface and iptables will not > fail. If you do have two eth interfaces, try to set a rule for eth4 - > you will see (I hope) no error. I saw none. > > I would vote for starting firewall before network, having my humble > opinion on that topic. :-) > > > -- > No virus found in this outgoing message. > Checked by "grep -i virus $MESSAGE" > Trust me. > > >
-- gentoo-security@g.o mailing list