bootscripts

Henning Rohde Rohde.Henning at gmx.net
Sun Sep 29 05:18:17 PDT 2002


Hi Dagmar,
hi everybody else,

dagmar at speakeasy.net wrote:
> On Thu, 26 Sep 2002, Henning Rohde wrote:
> ...
>> But in privcate discussion I was convinced that it would be helpful to
>> provide a suggestion about the _number_ of the symlinks: immedately after
>> the creation / before the deletion of the [last/first] network interface.
>>
> ...
> Firewall rules need to be able to put into place _before_ any network
> initialization happens per RFC ...

yes, you're right, they should be to be that.

But I've seen a number of boxes where the $admin wanted them to do some 
(automatic) communication _before_ the firewalling-rules denied especially 
that kind of communication. Please do not argue about any sillyness of this 
kind of setup, I'd just like to be open for it.

BTW: as long as we consider a "virgin" box, with no services running that 
could be reached via network, to be _un_vulnerable there should be no 
window for an attack as long as firewalling is started before any service.

We might argue on syslogd still running when firewalling is turned off: 
setups might exist where only the DMZ-server are, via firewalling rules, 
allowed to log to a log-server [e.g., printing them immedately to paper].
There could be a tiny window, after firewalling was turned off while syslog 
is still running, for sending malicious packets the log-server.

Just my 2 cents of EUR,

        Henning

-- 
"KDE 3.0.3 contains an important fix for handling SSL certificates ...
Users of Internet Explorer, which suffers from the same problem but which 
does not yet have a fix available, are also encouraged to switch to KDE 
3.0.3."
        Waldo Bastian in http://www.kde.org/announcements/announce-3.0.3.html
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-dev' in the subject header of the message



More information about the blfs-dev mailing list