#1763: iptables issue
-------------------------+--------------------------------------------------
Reporter: gjones5555 | Owner: [email protected]
Type: defect | Status: closed
Priority: normal | Milestone:
Component: CD | Version: x86-6.3
Resolution: fixed | Keywords: iptables x86-6.3-r2130
-------------------------+--------------------------------------------------
Changes (by [EMAIL PROTECTED]):
* status: new => closed
* resolution: => fixed
Comment:
> /etc/rc.d/init.d/iptables points to iptables in /sbin. On the CD,
iptables is in /bin.
This is a valid bug report.
> There is no /etc/rc.d/rc.iptables.
You are supposed to create this script yourself, as there is no setup that
will suit everyone. The script in the book has the annoying property that
it logs the packets with the default priority, so an external attacker
that knows that you use the default script from BLFS can make you unable
to read anything from the screen except the packet log (i.e.: in many
cases, this is worse than no firewall at all). The only thing that the
script in the book really does for you is that it prevents you from
accidentally running a server -- but hackers know for ages how to
circumvent this restriction (google for "reverse connection trojan").
> I have a direct DSL link to the Internet. It is either pull the plug or
set up a firewall.
No, it isn't. You are prefectly safe without any firewall as long as there
are no processes that listen to ports (and it is a bug in the book that it
doesn't say so). You can check that by the following command:
{{{
netstat -ln -A inet
# if you have ipv6 (on the LiveCD, it is disabled in the kernel), also
run:
# netstat -ln -A inet6
}}}
By default, no applications on the LiveCD listen to ports, and this
command gives no output except the header. Iptables were added only in
order for people to be able to use the CD as a temporary NAT solution if
the hard disk on their router fails.
In short: the valid part of this bug report is fixed in r2136 by moving
iptables to /sbin and removing the useless initscript.
--
Ticket URL: <http://wiki.linuxfromscratch.org/livecd/ticket/1763#comment:1>
LiveCD Trac <http://wiki.linuxfromscratch.org/livecd/>
Linux From Scratch LiveCD
--
http://linuxfromscratch.org/mailman/listinfo/livecd
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
