Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 08:56:06 PST 2004

On Fri, 2004-02-13 at 00:19, ken_i_m at elegantinnovations.net wrote:
> On Thu, Feb 12, 2004 at 04:54:49PM -0600, Dagmar d'Surreal (dagmar.wants at nospam.com) wrote:
> > (With respect to a host's participation in a network, it means that the
> > machine should initially respond to *no* packets whatsoever.  When a
> > host is acting as a firewall, it is especially important that this be
> > the case, and as to routers, it's actually documented in an RFC for
> > machines acting as routers that they should have their policies in place
> > before enabling any interface for routing.)
> Which RFC?
> > *snip*
> > 
> > Since in the LFS-bootscripts firewalling is not atomically tied to the
> > starting of the network (and trust me on this, trying to do it on a
> > per-interface basis is not a clean solution... been down that road and
> > came back tired)
> (Long trip?  Uphill all the way?)
> I have noticed that the network is initialized and working before the 
> firewall.  A gap.  One I have never measured but always assumed (at least 
> while I did not have time to do anything about it in any case) to be small 
> enough that it was an OK tradeoff.

Someone who is really determined can get a wee bit of information in
that window, and someone who is _really_ determined will find ways to
cause reboots to happen on demand (or at least more frequently) and may
even be able to think up something that will widen that window.  Even
for a router that's doing double-NAT routing packets unintelligently is
just as good as letting noise confuse your network.

> > *snip* ... it's going to require
> > adding some new functionality to _many_ of the init.d scripts.  I've
> > just about got this all solved, but I want to see if there are any fresh
> > ideas to this end before I publish my solutions because someone just
> > might come up with something unique and useful.
> I look forward to reviewing your solutions.

I'll likely be posting the english parts tomorrow, and the code parts
tomorrow night or early in the week then.  Valentine's Day is going to
interfere with my work a bit and I've still got a hot crucible going on
the code.
