Mailing List Archive

iptables window of opportunity at startup
Hi,

The current behaviour of a default Gentoo install is to load iptables
after the network has been initialised. Upon shutting down likewise
iptables is shutdown then the network interface. This strikes me as
presenting a window of opportunity when the computer is exposed without
iptables, albeit a small one.

Do people on this list think there is any value in re-arranging this
order by default?

Jon

--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Jon Mitchell <junk@jonm.co.uk> writes:

> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed without
> iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

The problem with doing the other way is that iptables rules can
reference the specific interfaces to which the rule applies. This will
(AFAIK) fail if the interface does not exist when the rule is
created. Therefore iptables has to be started after the network.

The other alternative is to have a 2-stage iptables
initialisation. The first stage being run and setting the INPUT and
FORWARD table policies to DROP (and it may also be necessary to set
some rules to all the lo interface, I am not sure). The second stage
being run after the network interfaces are configured and setting the
actual rules.
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Running a 2 stage iptables (drop all, start devices, set allow rules)
sounds like a good idea to me.
That would not be the most paranoid security measure I have seen.


Graham Murray wrote:
> Jon Mitchell <junk@jonm.co.uk> writes:
>
>> The current behaviour of a default Gentoo install is to load iptables
>> after the network has been initialised. Upon shutting down likewise
>> iptables is shutdown then the network interface. This strikes me as
>> presenting a window of opportunity when the computer is exposed without
>> iptables, albeit a small one.
>>
>> Do people on this list think there is any value in re-arranging this
>> order by default?
>
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.
>
> The other alternative is to have a 2-stage iptables
> initialisation. The first stage being run and setting the INPUT and
> FORWARD table policies to DROP (and it may also be necessary to set
> some rules to all the lo interface, I am not sure). The second stage
> being run after the network interfaces are configured and setting the
> actual rules.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD5NeyNt5PwLTPsH0RAl0HAKCKgYq054s8nxwTwVLh8F3BL7kceACghKZc
h7T//JahSNdsY66t3WBiReA=
=Ftuh
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed
> without iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

No this doesn't offers a hole, when no service is running and routing is
deactivated. So all services have to be started after iptables rules.
Same for routing.

Iptables doesn't have to protect the TCP/IP stack but a network behind
the host or services on that host.

Best regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
However, as far as I know, iptables is perfectly happy creating rules for non-existent
interfaces. Of course this can have changed, but when I first learned to use iptables
the doc specifically sugested setting up iptables rules before bringing up the network.
By the way, this is what I do at my firewall (allthough it runs debian, not gentoo),
first starting iptables and then networking. Probably it's paranoid, but that way there
is not even a theoretical possibility of an unsecure window during boot (for example,
if a misconfiguration brings up a vulnerable service before the firewall is up).

/Staffan Emrén

--
Societas Archaeologica Upsaliensis
018 - 10 79 30 www.sau.se


--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote:
> Jon Mitchell <junk@jonm.co.uk> writes:
>
> > The current behaviour of a default Gentoo install is to load iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed without
> > iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
>
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.

AFAIK that would not happen.
You may set a rule for non-existing interface and iptables will not
fail. If you do have two eth interfaces, try to set a rule for eth4 -
you will see (I hope) no error. I saw none.

I would vote for starting firewall before network, having my humble
opinion on that topic. :-)


--
No virus found in this outgoing message.
Checked by "grep -i virus $MESSAGE"
Trust me.
Re: iptables window of opportunity at startup [ In reply to ]
It is also my experience that iptables will make rules for
non-existent interfaces with no problems. It may be that you are
seeing the behavior that was modified as a result of bug 78495:

https://bugs.gentoo.org/show_bug.cgi?id=78495

Hotplug made things a little tougher, because of its tendency to bring
up the interface when the module is loaded. There was some discussion
of this in bugzilla and a decision was made to make it configurable.
The interface coming up on hotplug was desired behavior by some users,
particularly in regard to wireless interfaces.

Admittedly the window is small and not likely to be of use, but it
seems silly to leave it open when it isn't necessary.

On 2/4/06, Mariusz Pêkala <skoot@qi.pl> wrote:
> On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote:
> > Jon Mitchell <junk@jonm.co.uk> writes:
> >
> > > The current behaviour of a default Gentoo install is to load iptables
> > > after the network has been initialised. Upon shutting down likewise
> > > iptables is shutdown then the network interface. This strikes me as
> > > presenting a window of opportunity when the computer is exposed without
> > > iptables, albeit a small one.
> > >
> > > Do people on this list think there is any value in re-arranging this
> > > order by default?
> >
> > The problem with doing the other way is that iptables rules can
> > reference the specific interfaces to which the rule applies. This will
> > (AFAIK) fail if the interface does not exist when the rule is
> > created. Therefore iptables has to be started after the network.
>
> AFAIK that would not happen.
> You may set a rule for non-existing interface and iptables will not
> fail. If you do have two eth interfaces, try to set a rule for eth4 -
> you will see (I hope) no error. I saw none.
>
> I would vote for starting firewall before network, having my humble
> opinion on that topic. :-)
>
>
> --
> No virus found in this outgoing message.
> Checked by "grep -i virus $MESSAGE"
> Trust me.
>
>
>

--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> > The current behaviour of a default Gentoo install is to load
iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed
> > without iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
>
> No this doesn't offers a hole, when no service is running and routing
is
> deactivated. So all services have to be started after iptables rules.
> Same for routing.

But this isn't quite what happens by default. Starting up I seem to get
the network, then http-replicator, then iptables. Shutting down is
worse: First iptables is turned off, then ntpd, sshd, http-replicator,
"unmounting network file systems", then the network. So if there were a
problem in these services they would be exposed.

How do you control the order that programs are shutdown in gentoo?

> Iptables doesn't have to protect the TCP/IP stack but a network
behind
> the host or services on that host.

Could the network behind the host also be exposed in this small window?
If you had a firewall machine (two interfaces and packet forwarding)
without its firewall?

> Best regards
> Oli

Thanks,
Jon



--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Hi!

On Sun, 05 Feb 2006, Jon Mitchell wrote:
> How do you control the order that programs are shutdown in gentoo?

Using the depend() subroutine in the init script. My
/etc/init.d/iptables contains this:

depend() {
before net
use logger
}

Which *should* make iptables start before net.* (maybe except
net.lo). And sure enough, the boot sequence is:

dns-domain
net.lo
random
hdparm
metalog
acpid
alsa
gpm
iptables
net.eth0
portmap
nfs
sshd

So I don't exactly saee the problem - I haven't tweaked any of the
relevant scripts...

Rgards,
Tobias

--
You don't need eyes to see, you need vision.
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
On Sun, 5 Feb 2006 13:29:55 +0100 Tobias Klausmann <klausman@schwarzvogel.de> wrote:

> Which *should* make iptables start before net.* (maybe except
> net.lo). And sure enough, the boot sequence is:

This depends on the runlevels in which you have iptables and net.eth0.
Could you please post the output of the following command?

# rc-update show | grep 'iptables\|net\.'

By having iptables in boot and net.eth0 in default, iptables starts
before net.eth0, but it also stops before services and of course
net.eth0. Does somebody know a setting to avoid that?

(I would add that one might want to never respond to pings, for
instance, so starting iptables between net.eth0 and services seems not
enough.)

Regards,

Francois
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
I am coming into this conversation late, and I apologize if this is
already said, but:

When iptables/firewall 'stops', I have it drop all connections, so having
iptables stop before net.eth{0,1,etc} during shutdown isn't a problem.

Hope this helps


On Tue, February 7, 2006 12:16, Francois Toussenel wrote:
> On Sun, 5 Feb 2006 13:29:55 +0100 Tobias Klausmann
> <klausman@schwarzvogel.de> wrote:
>
>> Which *should* make iptables start before net.* (maybe except
>> net.lo). And sure enough, the boot sequence is:
>
> This depends on the runlevels in which you have iptables and net.eth0.
> Could you please post the output of the following command?
>
> # rc-update show | grep 'iptables\|net\.'
>
> By having iptables in boot and net.eth0 in default, iptables starts
> before net.eth0, but it also stops before services and of course
> net.eth0. Does somebody know a setting to avoid that?
>
> (I would add that one might want to never respond to pings, for
> instance, so starting iptables between net.eth0 and services seems not
> enough.)
>
> Regards,
>
> Francois
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Steven McCoy
Site Development/Manager
IndigoRobot Services
http://www.indigorobot.com
mailto:stevenmccoy@indigorobot.com

--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Jon Mitchell wrote:

> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed without
> iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

Yes I do.

Bug 76624 was trying to push that change for shorewall, maybe it's time
to reactivate it with broader scope.

--
Thierry Carrez (Koon)
Gentoo Linux Security
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Hi!

On Tue, 07 Feb 2006, Francois Toussenel wrote:

> On Sun, 5 Feb 2006 13:29:55 +0100 Tobias Klausmann <klausman@schwarzvogel.de> wrote:
>
> > Which *should* make iptables start before net.* (maybe except
> > net.lo). And sure enough, the boot sequence is:
>
> This depends on the runlevels in which you have iptables and net.eth0.
> Could you please post the output of the following command?
>
> # rc-update show | grep 'iptables\|net\.'
>
> By having iptables in boot and net.eth0 in default, iptables starts
> before net.eth0, but it also stops before services and of course
> net.eth0. Does somebody know a setting to avoid that?

I'm using the defaults for both (i.e. I did what's in the install
handbook):

$ rc-update show | grep 'iptables\|net\.'
iptables | default
net.eth0 | default
net.lo | boot

I really don't understand what happened on the original poster's
machine. My (wild) guess is, that somehow parallel startip messed
it up, but that would be a bug in the parallel startip code.

> (I would add that one might want to never respond to pings, for
> instance, so starting iptables between net.eth0 and services seems not
> enough.)

Why (outside of s specific attack in that area) would one *not*
respond to pings? Outside from a specific attack in that area
happening, I see no reason to do so.

Regards,
Tobias
--
You don't need eyes to see, you need vision.
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Tobias Klausmann wrote:
> On Tue, 07 Feb 2006, Francois Toussenel wrote:
>> (I would add that one might want to never respond to pings, for
>> instance, so starting iptables between net.eth0 and services seems not
>> enough.)
>
> Why (outside of s specific attack in that area) would one *not*
> respond to pings? Outside from a specific attack in that area
> happening, I see no reason to do so.

Everyone knows, that only stealthed hosts are secure. To archive this,
you have to block not only icmp but also arp. ;-)

Regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Hi!

On Wed, 08 Feb 2006, Oliver Schad wrote:
> > Why (outside of s specific attack in that area) would one *not*
> > respond to pings? Outside from a specific attack in that area
> > happening, I see no reason to do so.
>
> Everyone knows, that only stealthed hosts are secure. To archive this,
> you have to block not only icmp but also arp. ;-)

I prefer diagonal cutters for that kind of security. A hardwall
of the drastic kind, if you will.

Regards,
Tobias

PS: On of our trainees has a teacher at school that said that
ICMP was the "Hacker Protocol". Boy, did we had a laugh at his
scripts.

--
You don't need eyes to see, you need vision.
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Tobias Klausmann wrote:
> Hi!
>
> On Wed, 08 Feb 2006, Oliver Schad wrote:
>> > Why (outside of s specific attack in that area) would one *not*
>> > respond to pings? Outside from a specific attack in that area
>> > happening, I see no reason to do so.
>>
>> Everyone knows, that only stealthed hosts are secure. To archive this,
>> you have to block not only icmp but also arp. ;-)
>
> I prefer diagonal cutters for that kind of security. A hardwall
> of the drastic kind, if you will.

Is this secure against earth radiation? I suggest you use some magic
crystals for protection.

> PS: On of our trainees has a teacher at school that said that
> ICMP was the "Hacker Protocol". Boy, did we had a laugh at his
> scripts.

InterCeption and Manipulating Protocol

Regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Jon Mitchell wrote:
> On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
>> No this doesn't offers a hole, when no service is running and routing
>> is
>> deactivated. So all services have to be started after iptables rules.
>> Same for routing.
>
> But this isn't quite what happens by default. Starting up I seem to get
> the network, then http-replicator, then iptables. Shutting down is
> worse: First iptables is turned off, then ntpd, sshd, http-replicator,
> "unmounting network file systems", then the network. So if there were a
> problem in these services they would be exposed.
>
> How do you control the order that programs are shutdown in gentoo?

Edit /etc/init.d/iptables and change dendency settings to
depend() {
before net
use logger
}

>> Iptables doesn't have to protect the TCP/IP stack but a network
>> behind
>> the host or services on that host.
>
> Could the network behind the host also be exposed in this small window?

No, because Routing is activated in /etc/init.d/iptables after loading
ruleset

Regards
Oli
--
gentoo-security@gentoo.org mailing list
Re: iptables window of opportunity at startup [ In reply to ]
Jon Mitchell wrote:
> On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
>> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
>> > The current behaviour of a default Gentoo install is to load
> iptables
>> > after the network has been initialised. Upon shutting down likewise
>> > iptables is shutdown then the network interface. This strikes me as
>> > presenting a window of opportunity when the computer is exposed
>> > without iptables, albeit a small one.
>> >
>> > Do people on this list think there is any value in re-arranging this
>> > order by default?
>>
>> No this doesn't offers a hole, when no service is running and routing
> is
>> deactivated. So all services have to be started after iptables rules.
>> Same for routing.
>
> But this isn't quite what happens by default. Starting up I seem to get
> the network, then http-replicator, then iptables.

I reproduced this problem.
Solution:
Add iptables for correct startup to runlevel *boot* and change
dependency from

depend() {
before net
use logger
}

to

depend() {
before net
}

Changing runlevel does iptables start up at correct position, changing
dependency lets iptables stop at correct position.

Regards
Oli
--
gentoo-security@gentoo.org mailing list