It might be worth mentioning that it would be wise to default all chains to deny [upon network startup] in the case that netfilter is part of the kernel. If there is not filtering in the kernel, there is no need to worry about it. I think a simple /proc check would deal with this just fine.
Tom Veldhouse ----- Original Message ----- From: "Michael C. Ferguson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 6:35 PM Subject: Re: [gentoo-user] What is the best way to start iptables on boot time? > On Wednesday 19 November 2003 05:21 pm, Thomas Smith wrote: > > > This script is a good idea but wouldn't it be better to block all > > traffic when you clear the iptables rules? From a security perspective, > > /all/ traffic should be stopped in the event of a security threat. > > imho, no. At least, it shouldn't be the default option. If iptables is > stopped, I would expect that there is no use of iptables (both modules in the > kernel, and rules in the iptables). > > I could see putting something in /etc/conf.d/iptables, such as > DROP_ALL_ON_STOP. If this option is 1, then when iptables is stopped we reset > everything to DROP, instead of to ACCEPT (which should be the default). > > Best regards, > > > > -- > Michael C. Ferguson > > [EMAIL PROTECTED] mcf $ man life > No manual entry for life > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
