From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HLbJX-0005k8-GA for garchives@archives.gentoo.org; Mon, 26 Feb 2007 08:34:33 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1Q8XLsL011945; Mon, 26 Feb 2007 08:33:21 GMT Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1Q8THO5007338 for ; Mon, 26 Feb 2007 08:29:17 GMT Received: by nf-out-0910.google.com with SMTP id c31so2958788nfb for ; Mon, 26 Feb 2007 00:29:17 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=dczBH7kuOMvbTXoKA8DGMdQ7ZWkPSgtRqD7RE4LAzHvE42t4vW42ZXClLtYROAVXrlOnFUP1NWR11iVpbyuhtdN9R7/FkFpY/4KdOxDRCRhVvB0n2eAewkWEUc40/dYJJEiTexdTkQhb/JLVN02gz5Vh6hLUO/EYO6RTL+CeSh8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=KT9Kk73lFtKEc0tt+Dnu3zd5fVckzJk4eDScFBd01TZ1lH5zyLvCVvxDYmADrQGb9N72r2mMIeZpbhSOR07viczQd/FceYeMfcc2BV2jAMQGdUqkgrOIIzEq74oKgEWXcYSxkfNNJL0Yq3HyHNkk/I9VZjxNjagxhwdD8o6Ff2Q= Received: by 10.49.107.8 with SMTP id j8mr12186117nfm.1172478556807; Mon, 26 Feb 2007 00:29:16 -0800 (PST) Received: from m34-mp1.cvx1-c.bre.dial.ntli.net ( [62.255.116.34]) by mx.google.com with ESMTP id z37sm12019054ikz.2007.02.26.00.29.11; Mon, 26 Feb 2007 00:29:16 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] What if the firewall doesn't start? Date: Mon, 26 Feb 2007 07:37:31 +0000 User-Agent: KMail/1.9.5 References: <49bf44f10702251158n2ab9c587y9563d6ad4fa3a4b3@mail.gmail.com> <200702252247.43130.michaelkintzios@gmail.com> <49bf44f10702251628k6f9261eepaeba900d7751aa9f@mail.gmail.com> In-Reply-To: <49bf44f10702251628k6f9261eepaeba900d7751aa9f@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1280621.32ioKfaZPE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702260737.46227.michaelkintzios@gmail.com> X-Archives-Salt: 1bca5a2d-fd5e-428a-8f9a-2e51e0525fcb X-Archives-Hash: 34dba623d080e5181cac2953ecfa7ad2 --nextPart1280621.32ioKfaZPE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 26 February 2007 00:28, Grant wrote: > > > It occurred to me that if the shorewall firewall on my headless router > > > doesn't start for whatever reason, I'll be totally exposed. Is there > > > a way to protect against that? > > > > Well, you'll get an error during boot that iptables did not come up. > > The machine is headless though. I guess you could get it to mail you, or text you, but someone else has to= =20 advice as to how you set this up (in particular SMS texting). > > I assume that shorewall is only run when you change the script and > > otherwise /etc/init.d/iptables is run as a default service after boot. > > Ouch. No. I'm running shorewall in the default runlevel and iptables > explicitly not at all. I thought running shorewall was all I needed > to do. Can you confirm that I should be running iptables in the > default runlevel and shorewall only when I want to update the config? I don't want to panic you unnecessarily. I do not know anything about=20 shorewall and whether it takes over and runs iptables for you. > > Anyway, a closed port remains closed whether a firewall is running, or > > not. > > I thought the firewall specified which ports to open/close. Yes, as an additional layer, with a fine degree of configuration on top. R= un=20 nmap from another machine in your LAN and compare output with & without=20 iptables. =2D-=20 Regards, Mick --nextPart1280621.32ioKfaZPE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBF4o5K5Fp0QerLYPcRAlmZAJ4xP23RFVPfEpG+DnoD32Hj+vHUpQCfZkJB jkmUdmKCWEkkHYxQJaN1eV8= =AjIt -----END PGP SIGNATURE----- --nextPart1280621.32ioKfaZPE-- -- gentoo-user@gentoo.org mailing list