bootscripts

Larry larry at linuxfromscratch.org
Sun Sep 29 17:18:50 PDT 2002


On Sun, Sep 29, 2002 at 05:41:14PM -0500, dagmar at speakeasy.net wrote:
> On Sun, 29 Sep 2002, Henning Rohde wrote:
> 
> 
> > BTW: as long as we consider a "virgin" box, with no services running that
> > could be reached via network, to be _un_vulnerable there should be no
> > window for an attack as long as firewalling is started before any service.
> >
> > We might argue on syslogd still running when firewalling is turned off:
> > setups might exist where only the DMZ-server are, via firewalling rules,
> > allowed to log to a log-server [e.g., printing them immedately to paper].
> > There could be a tiny window, after firewalling was turned off while syslog
> > is still running, for sending malicious packets the log-server.
> 
> The network interfaces should _already be down_ before the firewalling
> would be turned off--which is why unless it's just a ruse before
> proceeding back _up_ through another runlevel, there's no real point in
> disabling the firewalling rules.  Thus, no window of this type should be
> available.
>

Henning ask for positions to be reserved and they are.  They are also
subject to change (BLFS or the builder).  I actually concur with Henning
about getting the firewall up before the services start and that time
between S20 and S21 just seems to small to worry about on BLFS's level.

As to Killing, my personal preference is never.  It's not really a kill
process anyway, it's a change to a different table which might be wide
open or restricted based on the needs of the user. 

Larry
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-dev' in the subject header of the message



More information about the blfs-dev mailing list