In Mandrake the iptables init script is executed before the network to prevent this.
the same should be true for gentoo...
there is a bug already:
http://bugs.gentoo.org/show_bug.cgi?id=27087
Comment 14 on this Bug is of interest to me and I think this is the way to do it--in part, anyway. Starting iptables immediately /after/ the network interfaces doesn't allow the compromise of any userland programs. This also allows one to configure their script to pull certain information from ifconfig if, for example, they're using DHCP on the WAN interface.
To have a "pre-if" and "post-if" is a bit redundant (see the Bug for details)--why go through the process of configuring iptables twice. The system isn't really vulnerable to any threat until network-aware services begin to load--which doesn't occur until after the network interfaces are loaded. If iptables is configured to load /immediately/ after the network interfaces then it will be protecting the system when those services begin to load--thus closing the "gaping hole" that was referred to in the bug.
Thomas T. Veldhouse wrote:
The problem I see with this method of using the iptables initscript is that
it starts after network (obviously). Network starts via net.ethX and has
defaulted everything to WIDE OPEN ... accept all packets! It is not until
after the iptables script is run that the network becomes protected
(assuming a decent firewall). Granted, the period of time things are open
is small, it is a security hole. FreeBSD for instance will default to all
network traffic denied until firewall rules are set to tell it otherwise.
This should be the Linux default as well IMHO.
There probably should be a knob in the network scripts to block all network
activity until the firewall scripts run to tell it otherwise. Perhaps a
simple switch in /etc/conf.d/net that says FIREWALL=true which would force
the default to be to deny all packets.
Tom Veldhouse
gabriel wrote:
On November 19, 2003 02:59 pm, Tiago Lima wrote:
Sorry for this newbie question but what is the "best" way to start iptables (and rules) on boot time?
hmmm. while i can't tell you the "best" way, i can tell you what i did. i wrote a startup script with the following contents. it may not have been the best route to go, but this way, i have a panic button if i need it ;-)
#!/sbin/runscript
# # rc.firewall # firewall script for alexandria #
opts="start stop panic"
depend() { need net }
start() {
ebegin "Enabling firewall"
# >>>>>>>>>>>>>>>> firewall rules go here <<<<<<<<<<<<<<<<
eend $?
}
stop() {
ebegin "Disabling firewall"
iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
iptables -t filter --flush
iptables -t filter --delete-chain
eend $?
}
panic() {
ebegin "SHIELDS! WHERE ARE MY SHIELDS???"
iptables -t filter --flush
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
iptables --policy INPUT DROP iptables --policy OUTPUT DROP
iptables -t filter --delete-chain
eend $?
}
-- understand that legal and illegal are political, and often arbitrary, categorizations; use and abuse are medical, or clinical, distinctions. - abbie hoffman
-- [EMAIL PROTECTED] mailing list
-- [EMAIL PROTECTED] mailing list
