Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 08:58:47 PST 2004


On Fri, 2004-02-13 at 01:56, Carsten P. Gehrke wrote:
> ken_i_m at elegantinnovations.net wrote:
> 
> I have noticed that the network is initialized and working before the
> firewall.  A gap.  One I have never measured but always assumed (at least
> while I did not have time to do anything about it in any case) to be small
> enough that it was an OK tradeoff.
> 
> ==========
> 
> I changed the order long ago, when I set up my first LFS box.  I run the 
> firewall script first, then start networking, and stop networking before I 
> tear down the firewall.  The gap was my concern, and I didn't see any 
> reason why networking had to be up before the iptables were 
> set.  Everything seems to work alright.  I've been wondering if I should 
> add some sort of flag that indicates the firewall is built as intended, and 
> have the network script test it before it activates the interfaces.

This is also a good thing.  For some, a newbie admin who improperly
replaces the kernel (and leaves out netfilter support, or one of many
other ways netfilter could just disappear) could find this to be a very
painful problem, however, if the machine's job is to protect traffic "or
else" it's a good idea indeed to check that the proper things are
appearing in /proc before allowing anything higher-level to get started
up.  (or at least blow the ref whistle and call for runlevel 2)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list