Re: [gentoo-user] What is the best way to start iptables on boot time?

Wed, 19 Nov 2003 14:09:05 -0800 

The problem I see with this method of using the iptables initscript is that
it starts after network (obviously).  Network starts via net.ethX and has
defaulted everything to WIDE OPEN ... accept all packets!  It is not until
after the iptables script is run that the network becomes protected
(assuming a decent firewall).  Granted, the period of time things are open
is small, it is a security hole.  FreeBSD for instance will default to all
network traffic denied until firewall rules are set to tell it otherwise.
This should be the Linux default as well IMHO.

There probably should be a knob in the network scripts to block all network
activity until the firewall scripts run to tell it otherwise.  Perhaps a
simple switch in /etc/conf.d/net that says FIREWALL=true which would force
the default to be to deny all packets.

Tom Veldhouse


gabriel wrote:
> On November 19, 2003 02:59 pm, Tiago Lima wrote:
>> Sorry for this newbie question but what is the "best" way to start
>> iptables (and rules) on boot time?
>
> hmmm.  while i can't tell you the "best" way, i can tell you what i
> did.  i wrote a startup script with the following contents.  it may
> not have been the best route to go, but this way, i have a panic
> button if i need it ;-)
>
>
> #!/sbin/runscript
>
> #
> # rc.firewall
> # firewall script for alexandria
> #
>
> opts="start stop panic"
>
>
> depend() {
>         need net
> }
>
>
> start() {
>
>         ebegin "Enabling firewall"
>
> # >>>>>>>>>>>>>>>> firewall rules go here <<<<<<<<<<<<<<<<
>
>         eend $?
>
> }
>
>
> stop() {
>
>         ebegin "Disabling firewall"
>
>         iptables --policy INPUT     ACCEPT
>         iptables --policy OUTPUT    ACCEPT
>         iptables --policy FORWARD   ACCEPT
>
>         iptables -t filter  --flush
>
>         iptables -t filter  --delete-chain
>
>         eend $?
>
> }
>
>
> panic() {
>
>         ebegin "SHIELDS! WHERE ARE MY SHIELDS???"
>
>         iptables -t filter      --flush
>
>         iptables -A INPUT  -i lo -j ACCEPT
>         iptables -A OUTPUT -o lo -j ACCEPT
>
>         iptables --policy INPUT         DROP
>         iptables --policy OUTPUT        DROP
>
>         iptables -t filter      --delete-chain
>
>         eend $?
>
> }
>
> --
> understand that legal and illegal are political, and often arbitrary,
> categorizations; use and abuse are medical, or clinical, distinctions.
> - abbie hoffman


--
[EMAIL PROTECTED] mailing list

Reply via email to