Re: init.d startup sequence for shorewall

2002-12-13 Thread Javier Fernández-Sanguino Peña
On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Ok. Let me try again: this is a security risk. A gateway firewall _needs_ to be setup the following way: 0.-

Re: init.d startup sequence for shorewall

2002-12-13 Thread Phillip Hofmeister
On Thu, 12 Dec 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Wake on Lan? :) -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O -

Re: init.d startup sequence for shorewall

2002-12-13 Thread Pavel Minev Penev
On Fri, Dec 13, 2002 at 09:25:02AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Ok. Let me try again: this is

Re: init.d startup sequence for shorewall

2002-12-13 Thread Javier Fernández-Sanguino Peña
On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: /etc/network/interfaces pre-up I know you can do it there. Unfortunately, firewall packages in debian (even ones I have packaged) do not do this properyl (yet). Regards Javi

Re: init.d startup sequence for shorewall

2002-12-13 Thread Javier Fernández-Sanguino Peña
On Thu, Dec 12, 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Neither can this one: http://www.ranum.com/pubs/a1fwall/ :) Javi pgprCjwQ1Z3Sc.pgp

Re: init.d startup sequence for shorewall

2002-12-13 Thread Javier Fernández-Sanguino Peña
On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Ok. Let me try again: this is a security risk. A gateway firewall _needs_ to be setup the following way: 0.-

Re: init.d startup sequence for shorewall

2002-12-13 Thread Phillip Hofmeister
On Thu, 12 Dec 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Wake on Lan? :) -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O -

Re: init.d startup sequence for shorewall

2002-12-13 Thread Pavel Minev Penev
On Fri, Dec 13, 2002 at 09:25:02AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Ok. Let me try again: this is

Re: init.d startup sequence for shorewall

2002-12-13 Thread Javier Fernández-Sanguino Peña
On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: /etc/network/interfaces pre-up I know you can do it there. Unfortunately, firewall packages in debian (even ones I have packaged) do not do this properyl (yet). Regards Javi pgpv1X9dTJ7IA.pgp

Re: init.d startup sequence for shorewall

2002-12-13 Thread Dale Amon
On Fri, Dec 13, 2002 at 05:47:19PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: /etc/network/interfaces pre-up I know you can do it there. Unfortunately, firewall packages in debian (even ones I have

Re: init.d startup sequence for shorewall

2002-12-12 Thread Jeremy A. Puhlman
- Original Message - From: Matt Zimmerman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0

Re: init.d startup sequence for shorewall

2002-12-12 Thread Raymond Wood
On Thu, Dec 12, 2002 at 03:55:56PM -0500, Matt Zimmerman remarked: On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is

Re: init.d startup sequence for shorewall

2002-12-12 Thread Yogesh Sharma
On Thu, 2002-12-12 at 12:55, Matt Zimmerman wrote: On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up

Re: init.d startup sequence for shorewall

2002-12-12 Thread Daniel Swärd
networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) Actually that seems to be a highly secure firewall...Firewalls with no power cannot

Re: init.d startup sequence for shorewall

2002-12-12 Thread Mitch Thompson
On Thu, 2002-12-12 at 15:07, Jeremy A. Puhlman wrote: - Original Message - From: Matt Zimmerman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh

Re: init.d startup sequence for shorewall

2002-12-12 Thread Matt Zimmerman
On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) -- - mdz

Re: init.d startup sequence for shorewall

2002-12-12 Thread Jeremy A. Puhlman
- Original Message - From: Matt Zimmerman [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35

Re: init.d startup sequence for shorewall

2002-12-12 Thread Raymond Wood
On Thu, Dec 12, 2002 at 03:55:56PM -0500, Matt Zimmerman remarked: On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is

Re: init.d startup sequence for shorewall

2002-12-12 Thread Yogesh Sharma
On Thu, 2002-12-12 at 12:55, Matt Zimmerman wrote: On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up

Re: init.d startup sequence for shorewall

2002-12-12 Thread Daniel Swärd
networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) Actually that seems to be a highly secure firewall...Firewalls with no power

Re: init.d startup sequence for shorewall

2002-12-12 Thread Mitch Thompson
On Thu, 2002-12-12 at 15:07, Jeremy A. Puhlman wrote: - Original Message - From: Matt Zimmerman [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall On Wed, Dec 11, 2002 at 05:39:37PM

Re: init.d startup sequence for shorewall

2002-12-11 Thread Yogesh Sharma
On Tue, 2002-12-10 at 16:37, Kuba Jakubik wrote: Yogesh Sharma wrote: In my opinion shorewall must be started as soon as network is up. can't you just mv S90shorewall S35shorewall ? Yes, I can move this link but question is for security. In my opinion this should be fixed in package

Re: init.d startup sequence for shorewall

2002-12-11 Thread Yogesh Sharma
On Tue, 2002-12-10 at 22:05, Gene wrote: can you elaborate on your question, since you're using the box as a firewall, this particular service should be up first to ensure that your perimeter is in check.. also, if this is your gateway host, how else would you get your internal network to

init.d startup sequence for shorewall

2002-12-10 Thread Yogesh Sharma
Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall must be started as soon as

Re: init.d startup sequence for shorewall

2002-12-10 Thread Kuba Jakubik
Yogesh Sharma wrote: Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall must

Re: init.d startup sequence for shorewall

2002-12-10 Thread Javier Fernández-Sanguino Peña
On Tue, Dec 10, 2002 at 03:39:35PM -0800, Yogesh Sharma wrote: In my opinion shorewall must be started as soon as network is up. What does list sugguests ? Is this a security problem ? Yes this is a security issue, if you take iptables, for example, it is run in S10. Any firewalling script

Re: init.d startup sequence for shorewall

2002-12-10 Thread Yogesh Sharma
On Tue, 2002-12-10 at 16:37, Kuba Jakubik wrote: Yogesh Sharma wrote: In my opinion shorewall must be started as soon as network is up. can't you just mv S90shorewall S35shorewall ? Yes, I can move this link but question is for security. In my opinion this should be fixed in package

init.d startup sequence for shorewall

2002-12-10 Thread Yogesh Sharma
Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall must be started as soon as

Re: init.d startup sequence for shorewall

2002-12-10 Thread Kuba Jakubik
Yogesh Sharma wrote: Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall

Re: init.d startup sequence for shorewall

2002-12-10 Thread Javier Fernández-Sanguino Peña
On Tue, Dec 10, 2002 at 03:39:35PM -0800, Yogesh Sharma wrote: In my opinion shorewall must be started as soon as network is up. What does list sugguests ? Is this a security problem ? Yes this is a security issue, if you take iptables, for example, it is run in S10. Any firewalling script