On Thu, Dec 4, 2014 at 12:37 PM, Christopher Head <ch...@chead.ca> wrote: > > What if now, by some accident, iptables ends up in a loop (maybe not even a > loop including $insecure_service, but some other loop entirely), and it’s the > randomly chosen victim? Is it still good to boot as many services as > possible? I think not.
My understanding of the algorithm is that it explicitly does not break on "need" boundaries and cycle breaking doesn't affect the rest of the graph. So in that scenario, if iptables isn't started, your hypothetical insecure service won't be started either. It's rather conservative and sane, IMO. -Wyatt
