If network starts first, netfilter defaults all filter chains in ACCEPT policy, so there's a tiny chance that someone could do something unwanted. Is this sufficient reason to start iptables or otherwise change chain policies before network? I'm thinking yes.
If iptables starts before network, then network could override settings in /proc/sys/net when it calls upon /etc/sysctl.conf. Additionally, it would be harder to identify dynamic IPs, additional IPs set with "ip addr add," etc. simply because the network isn't up yet.
Some choices are:
1) load a "stub" with priority 9 that will set all chains in table to DROP policy, and have iptables start after network.
2) have a stub with priority 11 reset the wanted sysctl settings, and have iptables start before network
3) either of the above by calling the entire firewall script both before and after network .. ugh
4) simply have the firewall script start after network, ignoring the brief security hole.
As much as possible, I'd like to have my firewall script(s) be self-contained... that is, I'd prefer that it didn't modify sysctl.conf, /etc/init.d/network, etc. directly. Any thoughts? Thanks!
--Curby
