On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote: > Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell: > > The current behaviour of a default Gentoo install is to load iptables > > after the network has been initialised. Upon shutting down likewise > > iptables is shutdown then the network interface. This strikes me as > > presenting a window of opportunity when the computer is exposed > > without iptables, albeit a small one. > > > > Do people on this list think there is any value in re-arranging this > > order by default? > > No this doesn't offers a hole, when no service is running and routing is > deactivated. So all services have to be started after iptables rules. > Same for routing.
But this isn't quite what happens by default. Starting up I seem to get the network, then http-replicator, then iptables. Shutting down is worse: First iptables is turned off, then ntpd, sshd, http-replicator, "unmounting network file systems", then the network. So if there were a problem in these services they would be exposed. How do you control the order that programs are shutdown in gentoo? > Iptables doesn't have to protect the TCP/IP stack but a network behind > the host or services on that host. Could the network behind the host also be exposed in this small window? If you had a firewall machine (two interfaces and packet forwarding) without its firewall? > Best regards > Oli Thanks, Jon -- gentoo-security@gentoo.org mailing list
