Jon Mitchell wrote:
> On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
>> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
>> > The current behaviour of a default Gentoo install is to load
> iptables
>> > after the network has been initialised. Upon shutting down likewise
>> > iptables is shutdown then the network interface. This strikes me as
>> > presenting a window of opportunity when the computer is exposed
>> > without iptables, albeit a small one.
>> >
>> > Do people on this list think there is any value in re-arranging this
>> > order by default?
>>
>> No this doesn't offers a hole, when no service is running and routing
> is
>> deactivated. So all services have to be started after iptables rules.
>> Same for routing.
>
> But this isn't quite what happens by default. Starting up I seem to get
> the network, then http-replicator, then iptables.
I reproduced this problem.
Solution:
Add iptables for correct startup to runlevel *boot* and change
dependency from
depend() {
before net
use logger
}
to
depend() {
before net
}
Changing runlevel does iptables start up at correct position, changing
dependency lets iptables stop at correct position.
Regards
Oli
--
gentoo-security@gentoo.org mailing list
