Thomas Smith wrote:
Bryan Whitehead wrote:
In Mandrake the iptables init script is executed before the network to prevent this.
the same should be true for gentoo...
there is a bug already:
http://bugs.gentoo.org/show_bug.cgi?id=27087
Comment 14 on this Bug is of interest to me and I think this is the way to do it--in part, anyway. Starting iptables immediately /after/ the network interfaces doesn't allow the compromise of any userland programs. This also allows one to configure their script to pull certain information from ifconfig if, for example, they're using DHCP on the WAN interface.
To have a "pre-if" and "post-if" is a bit redundant (see the Bug for details)--why go through the process of configuring iptables twice. The system isn't really vulnerable to any threat until network-aware services begin to load--which doesn't occur until after the network interfaces are loaded. If iptables is configured to load /immediately/ after the network interfaces then it will be protecting the system when those services begin to load--thus closing the "gaping hole" that was referred to in the bug.
You might want to add comments to the bug as it looks like many of the developers think it's not a big deal... might want to reference this thread to show it is a concern of users... and other distro's correctly run iptables first.
I actually just finished adding similar comments to the mentioned Bug. I didn't, however, reference this thread--I'll do that now, though.
Thanks for the input.
-- [EMAIL PROTECTED] mailing list
