On Sunday 12 January 2003 03:01 am, Arnt Karlsen wrote: > ..the wee point I was trying to make, is an iptables firewall is > vulnerable while it is being set up, so echo "0" first to stop > forwarding, set up the firewall, and echo "1" at the end of the > script to start forwarding again, a wee nit into your helpful > responses to him. I do this myself in my script, but believe there is an additional solution, at least for some distros: I'm running RedHat 7.3, and so everything runs off SysV-Init. I was greatly bothered by the fact that the S07iptables startup link would get run quite a bit (well, a few seconds at least :^) before my firewall would. Changing my firewall to a lower number in the sequence wouldn't work easily, since I'm on a Dynamic IP at the moment and had to start up ADSL to get the IP, since I use it 'statically' in SNAT. It also would need (or at least want) syslog up and running. Couldn't easily move ADSL up in the sequence, since it depended on networking in general. Everything is pretty much fixed in the sequence it already starts in. Then it occurred to me: Modify the /etc/init.d/iptables script to set DROP policies, instead of the horribly shortsighted ACCEPT default it uses. As soon as this occurred to me I changed it, and I feel much more comfortable now, knowing that if the whole startup collapses right after iptables and network scripts, I'm still not wide open. My sequence now is iptables->ip6tables->network->syslog->ADSL->firewall->ip6firewall->freenet (freenet is the startup for the IPv6inIPv4 tunnel) I modified the /etc/init.d/iptables script to set DROP policies in both the 'start' and 'stop' functions. Despite being more comfortable with this, I'd like to hear if anyone sees a hole in my reasoning. j
