Bug#172835: shorewall should use update-rc.d
Package: shorewall
Severity: normal
On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote:
> On Thu, Dec 12, 2002 at 03:55:56PM -0500, Matt Zimmerman remarked:
>
> > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote:
> > > networking comes up at S35 in runlevel 0 so my internet is
> > > up and there is no firewall running so far.
>
> > runlevel 0 is system shutdown and halt. The network is not
> > brought up in this runlevel. :-)
>
> There have been several responses to Yogesh's question, but none
> of them provide a clear and straightforward answer.
>
> Does anyone know why Shorewall leaves the system unprotected
> between network startup and firewall startup, whether it is a
> security risk, and if so what can be done about it besides crude
> workarounds?
Based on the message, I could not tell whether it actually did leave the
system unprotected or not. Apparently, it does, because this bug has
already been reported in the BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172607
In looking at the source package, I noticed another one, which is that it
does not call update-rc.d to set the symlinks. Either this is being done by
an upstream script, the links are being managed by hand, or the links are
not being created at all on new installations. I have not tested to see
which is the case, but in any of these cases, it is a bug, and update-rc.d
should be used instead in order to allow for alternate init schemes and to
otherwise ensure policy-conformant behavior.
http://www.debian.org/doc/debian-policy/ch-opersys.html#s10.3.3
--
- mdz
Reply to: