[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall not applying some rules on startup

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>I'd say your firewall is starting up before nfs in your rc scripts, so
>>your NFSPORTS_ARRAY is empty. Try changing the firewall to start up
>>after nfs.
> 
> 
> ..that would leave it open for a wee while, no?
> I'd rather just rerun the rerun the nfs firewalling, either from
> rc.local or off an extra /etc/rc2.d/S22iptables link, if it's just 
> nfs, if you have more stuff later than /etc/rc2.d/S21nfs-common,
> add more delay or extra /etc/rc2.d/SNNiptables links.
> 

Or even better - right after networking comes up, start an iptables
script that is just the policies with DROP except for lo...
THen, after all other daemons come up, have another script that starts
your allows and such.

I guess I was assuming, since this server was running nfs, that it was
simply a host based firewall and that there was another firewall in
front of it, limiting that wee vulnerability. I can't think of a sane
reason to run nfs on a direct connect border firewall.

- --

/phil


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCWXEWGbd/rBLcaFwRAoAbAKCpv0jDemu/neEZNEnG1Q35kgGvQACgnLFn
Zc6WeIuAkW7dpxpqW5eIEZ4=
=8810
-----END PGP SIGNATURE-----
Reply to: