| View previous topic :: View next topic |
| Author |
Message |
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
 Posted: Tue Jul 26, 2005 6:01 pm Post subject: Security leak because of service shutdown order? |
 |
|
| I recently noticed that the iptables firewall gets stopped before my network interface are being shut down. Doesn't that give my machine some exposure to the internet one usually does not want to have? |
|
| Back to top |
|
 |
BradN
Advocate
Joined: 19 Apr 2002
Posts: 2391
Location: Wisconsin (USA)
|
| Posted: Tue Jul 26, 2005 7:27 pm Post subject: |
|
|
| Most likely all your network listeners have been stopped before that, so I don't think it's a cause for much concern. |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
| Posted: Wed Jul 27, 2005 9:35 am Post subject: |
|
|
| No. It stops mysql, sshd and ntpd after shutting down the firewall. Upon boot, almost all network services get started before the firewall. |
|
| Back to top |
|
|
Nuteater
Apprentice
Joined: 25 Sep 2003
Posts: 193
Location: Jyväskylä, Finland
|
| Posted: Wed Jul 27, 2005 10:34 am Post subject: |
|
|
At least with shorewall, stopping the firewall just puts it in the default
state, which is 'deny everything'. As it should be, a firewall is just a
program allowing access in some cases, and the default is
what it should be. 
_________________
I am Nuteater, hear me roar. |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
| Posted: Wed Jul 27, 2005 10:40 am Post subject: |
|
|
| well, the default policy when NOT using shorewall is: ACCEPT all and everything. |
|
| Back to top |
|
|
Nuteater
Apprentice
Joined: 25 Sep 2003
Posts: 193
Location: Jyväskylä, Finland
|
| Posted: Wed Jul 27, 2005 10:56 am Post subject: |
|
|
| Cinquero wrote: | | well, the default policy when NOT using shorewall is: ACCEPT all and everything. |
You are right, this is not how it should be. You could try tweaking the init script shutting
down your script and adding a rule that blocks everything. However, the firewall is only
your first line of defence, so to speak, and you shouldn't rely on it too much. The system
behind the firewall should also be secure, and not running any unnecessary or vulnerable
services. But you are right, as good practice the firewall should be started first and shut down
last, even if the security gain from this is minimal.
_________________
I am Nuteater, hear me roar. |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
| Posted: Wed Jul 27, 2005 11:59 am Post subject: |
|
|
Uhm, let me put it that way: the firewall's concern is security. And it is its main concern. Behind the firewall, I have running various daemons for developing purposes. Such ones are not usually known to be the securest ones...
I think I'll have a quick look on how to change the default policy and post a bug then. |
|
| Back to top |
|
|
joaander
Tux's lil' helper
Joined: 30 Apr 2004
Posts: 132
|
| Posted: Wed Jul 27, 2005 2:26 pm Post subject: |
|
|
| Quote: | | Uhm, let me put it that way: the firewall's concern is security. And it is its main concern. Behind the firewall, I have running various daemons for developing purposes. Such ones are not usually known to be the securest ones... |
Why even allow such a service to even listen on an internet interface? If a service is to be used on the internal net only, then it should only listen on the internal network interface whether or not you have a firewall. As Nuteater said:
| Quote: | The system behind the firewall should also be secure, and not running any unnecessary or vulnerable
services |
|
|
| Back to top |
|
|
ben-xo
n00b
Joined: 13 Dec 2004
Posts: 38
|
| Posted: Wed Jul 27, 2005 7:28 pm Post subject: |
|
|
Yes but what's the sense in iptables loading up later / unloading earlier than is appropriate for maximum security? This should be simple matter to sort out, so i'd post it as a bug.
_________________
Ben XO |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
|
| Back to top |
|
|
ben-xo
n00b
Joined: 13 Dec 2004
Posts: 38
|
| Posted: Thu Jul 28, 2005 1:14 pm Post subject: |
|
|
| joaander wrote: | | Why even allow such a service to even listen on an internet interface? If a service is to be used on the internal net only, then it should only listen on the internal network interface whether or not you have a firewall. |
oh and just to answer this one... some services are so simple (read: in development) that they cannot be configured to only listen on a specific NIC. In this case, one uses a firewall to block it...
_________________
Ben XO |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
|
| Back to top |
|
|
|
Networking & Security
