headers
Robert Larson | 2 Feb 2006 22:46

Re: invalid section : "db"

Thank you for your help, but I have resolved the problem.  It was simply that 
I did not specify the "dbx" USE flag (for database extraction layer) when 
building prelude-manager.

When prelude-manager gets configured, it will check for libpreludedb.  If it 
is present, it will install support for it.  When I installed prelude-manager 
I had not yet installed libpreludedb, and I did not enable the USE flag 
requiring that libpreludedb be installed.  So, prelude-manager was actually 
built without support for libpreludedb resulting in the errors.

Thank you again,

Robert

On Friday 27 January 2006 02:19 am, Stéphane Joguet wrote:
> Did you try something like “prelude-manager –db –t mysql –h localhost –p
> 3306 –d prelude –u prelude –P xxxx” ?
>
>
>
>   _____
>
> De : Robert Larson [mailto:robert <at> sixthings.com]
> Envoyé : jeudi 26 janvier 2006 19:33
> À : gentoo-security <at> lists.gentoo.org
> Objet : Re: [gentoo-security] invalid section : "db"
>
>
>
> Hello,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jon Mitchell | 4 Feb 2006 13:50
Picon

iptables window of opportunity at startup

Hi,

The current behaviour of a default Gentoo install is to load iptables
after the network has been initialised. Upon shutting down likewise
iptables is shutdown then the network interface. This strikes me as
presenting a window of opportunity when the computer is exposed without
iptables, albeit a small one.

Do people on this list think there is any value in re-arranging this
order by default?

Jon

--

-- 
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 17 comments |
headers
Graham Murray | 4 Feb 2006 14:12
Picon

Re: iptables window of opportunity at startup

Jon Mitchell <junk <at> jonm.co.uk> writes:

> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed without
> iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

The problem with doing the other way is that iptables rules can
reference the specific interfaces to which the rule applies. This will
(AFAIK) fail if the interface does not exist when the rule is
created. Therefore iptables has to be started after the network.

The other alternative is to have a 2-stage iptables
initialisation. The first stage being run and setting the INPUT and
FORWARD table policies to DROP (and it may also be necessary to set
some rules to all the lo interface, I am not sure). The second stage
being run after the network interfaces are configured and setting the
actual rules.
--

-- 
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 3 comments |
headers
Steven Sennebogen | 4 Feb 2006 17:34
Picon
Favicon

Re: iptables window of opportunity at startup


Running a 2 stage iptables (drop all, start devices, set allow rules)
sounds like a good idea to me.
That would not be the most paranoid security measure I have seen.

Graham Murray wrote:
> Jon Mitchell <junk <at> jonm.co.uk> writes:
>
>> The current behaviour of a default Gentoo install is to load iptables
>> after the network has been initialised. Upon shutting down likewise
>> iptables is shutdown then the network interface. This strikes me as
>> presenting a window of opportunity when the computer is exposed without
>> iptables, albeit a small one.
>>
>> Do people on this list think there is any value in re-arranging this
>> order by default?
>
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.
>
> The other alternative is to have a 2-stage iptables
> initialisation. The first stage being run and setting the INPUT and
> FORWARD table policies to DROP (and it may also be necessary to set
> some rules to all the lo interface, I am not sure). The second stage
> being run after the network interfaces are configured and setting the
> actual rules.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Oliver Schad | 4 Feb 2006 18:22
Picon

Re: iptables window of opportunity at startup

Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> The current behaviour of a default Gentoo install is to load iptables
> after the network has been initialised. Upon shutting down likewise
> iptables is shutdown then the network interface. This strikes me as
> presenting a window of opportunity when the computer is exposed
> without iptables, albeit a small one.
>
> Do people on this list think there is any value in re-arranging this
> order by default?

No this doesn't offers a hole, when no service is running and routing is 
deactivated. So all services have to be started after iptables rules. 
Same for routing.

Iptables doesn't have to protect the TCP/IP stack but a network behind 
the host or services on that host.

Best regards
Oli
--

-- 
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 11 comments |
headers
Staffan Emrén | 4 Feb 2006 22:04
Picon

Re: iptables window of opportunity at startup

However, as far as I know, iptables is perfectly happy creating rules for non-existent 
interfaces. Of course this can have changed, but when I first learned to use iptables 
the doc specifically sugested setting up iptables rules before bringing up the network. 
By the way, this is what I do at my firewall (allthough it runs debian, not gentoo), 
first starting iptables and then networking. Probably it's paranoid, but that way there 
is not even a theoretical possibility of an unsecure window during boot (for example, 
if a misconfiguration brings up a vulnerable service before the firewall is up).

/Staffan Emrén

--
Societas Archaeologica Upsaliensis
018 - 10 79 30          www.sau.se

--

-- 
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 0 comments |
headers
Mariusz Pękala | 4 Feb 2006 23:51
Picon

Re: iptables window of opportunity at startup

On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote:
> Jon Mitchell <junk <at> jonm.co.uk> writes:
> 
> > The current behaviour of a default Gentoo install is to load iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed without
> > iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
> 
> The problem with doing the other way is that iptables rules can
> reference the specific interfaces to which the rule applies. This will
> (AFAIK) fail if the interface does not exist when the rule is
> created. Therefore iptables has to be started after the network.

AFAIK that would not happen.
You may set a rule for non-existing interface and iptables will not
fail. If you do have two eth interfaces, try to set a rule for eth4 -
you will see (I hope) no error. I saw none.

I would vote for starting firewall before network, having my humble
opinion on that topic. :-)

--

-- 
No virus found in this outgoing message.
Checked by "grep -i virus $MESSAGE"
Trust me.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Matt Drew | 5 Feb 2006 02:16
Picon

Re: iptables window of opportunity at startup

It is also my experience that iptables will make rules for
non-existent interfaces with no problems.  It may be that you are
seeing the behavior that was modified as a result of bug 78495:

https://bugs.gentoo.org/show_bug.cgi?id=78495

Hotplug made things a little tougher, because of its tendency to bring
up the interface when the module is loaded.  There was some discussion
of this in bugzilla and a decision was made to make it configurable.
The interface coming up on hotplug was desired behavior by some users,
particularly in regard to wireless interfaces.

Admittedly the window is small and not likely to be of use, but it
seems silly to leave it open when it isn't necessary.

On 2/4/06, Mariusz Pękala <skoot <at> qi.pl> wrote:
> On 2006-02-04 13:12:06 +0000 (Sat, Feb), Graham Murray wrote:
> > Jon Mitchell <junk <at> jonm.co.uk> writes:
> >
> > > The current behaviour of a default Gentoo install is to load iptables
> > > after the network has been initialised. Upon shutting down likewise
> > > iptables is shutdown then the network interface. This strikes me as
> > > presenting a window of opportunity when the computer is exposed without
> > > iptables, albeit a small one.
> > >
> > > Do people on this list think there is any value in re-arranging this
> > > order by default?
> >
> > The problem with doing the other way is that iptables rules can
> > reference the specific interfaces to which the rule applies. This will
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jon Mitchell | 5 Feb 2006 09:24
Picon

Re: iptables window of opportunity at startup

On Sat, 2006-02-04 at 18:22 +0100, Oliver Schad wrote:
> Am Samstag, 4. Februar 2006 13:50 schrieb mir Jon Mitchell:
> > The current behaviour of a default Gentoo install is to load
iptables
> > after the network has been initialised. Upon shutting down likewise
> > iptables is shutdown then the network interface. This strikes me as
> > presenting a window of opportunity when the computer is exposed
> > without iptables, albeit a small one.
> >
> > Do people on this list think there is any value in re-arranging this
> > order by default?
> 
> No this doesn't offers a hole, when no service is running and routing
is 
> deactivated. So all services have to be started after iptables rules. 
> Same for routing.

But this isn't quite what happens by default. Starting up I seem to get
the network, then http-replicator, then iptables. Shutting down is
worse: First iptables is turned off, then ntpd, sshd, http-replicator,
"unmounting network file systems", then the network. So if there were a
problem in these services they would be exposed.

How do you control the order that programs are shutdown in gentoo?

> Iptables doesn't have to protect the TCP/IP stack but a network
behind 
> the host or services on that host.

Could the network behind the host also be exposed in this small window?
(Continue reading)

Permalink | Reply | 9 comments |
headers
Tobias Klausmann | 5 Feb 2006 13:29
Picon
Favicon

Re: iptables window of opportunity at startup

Hi! 

On Sun, 05 Feb 2006, Jon Mitchell wrote:
> How do you control the order that programs are shutdown in gentoo?

Using the depend() subroutine in the init script. My
/etc/init.d/iptables contains this:

depend() {
        before net
        use logger
}

Which *should* make iptables start before net.* (maybe except
net.lo). And sure enough, the boot sequence is:

dns-domain
net.lo
random
hdparm
metalog
acpid
alsa
gpm
iptables
net.eth0
portmap
nfs
sshd
(Continue reading)

Permalink | Reply | 6 comments |

Gmane