Iptables initialization

ken_i_m at elegantinnovations.net ken_i_m at elegantinnovations.net
Sun Feb 15 15:16:39 PST 2004


On Sat, Feb 14, 2004 at 10:56:06AM -0600, Dagmar d'Surreal (dagmar.wants at nospam.com) wrote:
> On Fri, 2004-02-13 at 00:19, ken_i_m at elegantinnovations.net wrote:
> > On Thu, Feb 12, 2004 at 04:54:49PM -0600, Dagmar d'Surreal (dagmar.wants at nospam.com) wrote:
> > > Since in the LFS-bootscripts firewalling is not atomically tied to the
> > > starting of the network (and trust me on this, trying to do it on a
> > > per-interface basis is not a clean solution... been down that road and
> > > came back tired)
> > I have noticed that the network is initialized and working before the 
> > firewall.  A gap.  One I have never measured but always assumed (at least 
> > while I did not have time to do anything about it in any case) to be small 
> > enough that it was an OK tradeoff.
> Someone who is really determined can get a wee bit of information in
> that window, and someone who is _really_ determined will find ways to
> cause reboots to happen on demand (or at least more frequently) and may
> even be able to think up something that will widen that window.

Agreed.  I knew it was a weakness but time simply has not allowed me to 
do anything about it yet.

With this on my mind I was making some changes to the rc scripts on a 
slackware server and checked when the firewall is started.  Not until 
after nfs.  Not good.

Now I have a good argument to obtain approval to budget time for this.
-- 
I think, therefore, ken_i_m
Chief Gadgeteer, Elegant Innovations
Founder, Bozeman Linux Users Group
(406) 581-0495



More information about the hlfs-dev mailing list