firewall-init for iptables
jajcus at pld.org.pl
Thu Mar 8 16:54:05 CET 2001
On Thu, Mar 08, 2001 at 01:05:37AM +0100, Jan Rekorajski wrote:
> > And one more thing. I think you should change the name of the project.
> > This is quite different from original firewall-init. Maybe the
> > firewall-init is still developed (in other distribution).
> As I am the maintainer of this package I don't care ;>
I thought it come from some other distribution.
> But maybe I change the name.
You made the firewall-init read the RPC information, but for me
firewall-init is started before portmap!
But this is not a big problem. The big security problem is that there is
delay between network and firewall-init is started. In paricular
forwarding is enabled in some time before firewall is set up. It is big
enough time so some exploit packets could be sent to internal network.
I think there should be two init scripts:
1. firewall-preinit --- started before /etc/rc.d/init.d/network
Wich would disable everything except loopback trafic (which can be
needed in further startup scripts)
2. firewall --- started after /etc/rc.d/init.d/portmap and other needed
It would set up everything alse and THEN remove iptables entries
inserted by firewall-preinit.
IMHO such configuration would be safe, without any rece conditions.
More information about the pld-devel-en