However, as far as I know, iptables is perfectly happy creating rules for non-existent interfaces. Of course this can have changed, but when I first learned to use iptables the doc specifically sugested setting up iptables rules before bringing up the network. By the way, this is what I do at my firewall (allthough it runs debian, not gentoo), first starting iptables and then networking. Probably it's paranoid, but that way there is not even a theoretical possibility of an unsecure window during boot (for example, if a misconfiguration brings up a vulnerable service before the firewall is up).
/Staffan Emrén -- Societas Archaeologica Upsaliensis 018 - 10 79 30 www.sau.se -- gentoo-security@gentoo.org mailing list
