bootscripts

dagmar at speakeasy.net dagmar at speakeasy.net
Sat Sep 28 17:18:22 PDT 2002


On Fri, 27 Sep 2002, Mark Hymers wrote:

> (I tried to send this two days ago but my outgoing mail relay was b0rken)
>
> On Thu, 26, Sep, 2002 at 10:02:23AM -0500, Larry Lawrence spoke thus..
> > Firewall start scripts are S21
>
> That's exactly what I've used on my new system
>
> > Firewall kill scripts are K39 - the network does not go down until K80, but
> > we lose logging at K40, user processes at K50 and Disk access at K60.
>
> I *think* it would be safe to use K59 here.  I could be wrong though
> (and quite possibly am).  Reasoning: I don't think shutting down the
> firewall should write anything to sysklogd; neither does it require any
> current running processes to still be alive.
>
> What do other people think?

Changes to firewalling rules typically won't involve anything being
written to syslog, and you're right about the other point as well...
but... I can't think of _any_ reasonable justification for
disabling/removing firewalling rules during shutdown unless the network
cards themselves have already been disabled.  If anything this is just
opening up a possible window of opportunity during which someone might be
able to get the machine to route packets that would normally have been
denied.

If it's absolutely necessary for me to go rummaging through my old notes
to find the RFC where this is specifically mentioned I will, but I'm
hoping that a word to the wise will be sufficient.

K39 should be a do-nothing script under normal conditions.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-dev' in the subject header of the message



More information about the blfs-dev mailing list