1 |
Jon Mitchell wrote: |
2 |
> On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote: |
3 |
>> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell: |
4 |
>> > The current behaviour of a default Gentoo install is to load |
5 |
> iptables |
6 |
>> > after the network has been initialised. Upon shutting down likewise |
7 |
>> > iptables is shutdown then the network interface. This strikes me as |
8 |
>> > presenting a window of opportunity when the computer is exposed |
9 |
>> > without iptables, albeit a small one. |
10 |
>> > |
11 |
>> > Do people on this list think there is any value in re-arranging this |
12 |
>> > order by default? |
13 |
>> |
14 |
>> No this doesn't offers a hole, when no service is running and routing |
15 |
> is |
16 |
>> deactivated. So all services have to be started after iptables rules. |
17 |
>> Same for routing. |
18 |
> |
19 |
> But this isn't quite what happens by default. Starting up I seem to get |
20 |
> the network, then http-replicator, then iptables. |
21 |
|
22 |
I reproduced this problem. |
23 |
Solution: |
24 |
Add iptables for correct startup to runlevel *boot* and change |
25 |
dependency from |
26 |
|
27 |
depend() { |
28 |
before net |
29 |
use logger |
30 |
} |
31 |
|
32 |
to |
33 |
|
34 |
depend() { |
35 |
before net |
36 |
} |
37 |
|
38 |
Changing runlevel does iptables start up at correct position, changing |
39 |
dependency lets iptables stop at correct position. |
40 |
|
41 |
Regards |
42 |
Oli |
43 |
-- |
44 |
gentoo-security@g.o mailing list |