On Aug 7, 2006, at 7:35 PM, Stewart Stremler wrote:
Of course, thinking about it, aren't iptables rules applied *after* the interface comes up? So there's a window-of-attack on reboot, right? Or is this a site-dependent problem?
Depends. You can set some global rules that don't depend on an interface, if you use source and/or destination addresses.
Also, back at my last job, I actually crafted the firewalls so that I could flush/refresh certain chains at will, and add/remove rules as I desired. I was doing it mainly as an ACL type chain (i.e., jump to this chain, and if source address matches a rule, RETURN, with a default REJECT at the end of the chain.)
If you're using Shorewall, there's a very handy architecture you can leverage to add in your own scripts and such.
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
