Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 08:58:47 PST 2004

On Fri, 2004-02-13 at 01:56, Carsten P. Gehrke wrote:
> ken_i_m at elegantinnovations.net wrote:
> I have noticed that the network is initialized and working before the
> firewall.  A gap.  One I have never measured but always assumed (at least
> while I did not have time to do anything about it in any case) to be small
> enough that it was an OK tradeoff.
> ==========
> I changed the order long ago, when I set up my first LFS box.  I run the 
> firewall script first, then start networking, and stop networking before I 
> tear down the firewall.  The gap was my concern, and I didn't see any 
> reason why networking had to be up before the iptables were 
> set.  Everything seems to work alright.  I've been wondering if I should 
> add some sort of flag that indicates the firewall is built as intended, and 
> have the network script test it before it activates the interfaces.

This is also a good thing.  For some, a newbie admin who improperly
replaces the kernel (and leaves out netfilter support, or one of many
other ways netfilter could just disappear) could find this to be a very
painful problem, however, if the machine's job is to protect traffic "or
else" it's a good idea indeed to check that the proper things are
appearing in /proc before allowing anything higher-level to get started
up.  (or at least blow the ref whistle and call for runlevel 2)
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org

More information about the hlfs-dev mailing list