Re: Securing Debian Manual: Section 5.14.3.2 suggested additions

To: Dominic Walden <dominic@dwalden.co.uk>
Cc: debian-doc@lists.debian.org
Subject: Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
From: Joost van Baal-Ilić <joostvb-debian-doc-20140603-2@mdcc.cx>
Date: Tue, 3 Jun 2014 07:38:05 +0200
Message-id: <[🔎] 20140603053805.GO30203@beskar.mdcc.cx>
In-reply-to: <[🔎] 87bnubig3a.fsf@dwalden.co.uk>
References: <[🔎] 87bnubig3a.fsf@dwalden.co.uk>

Hi Dominic,

Thanks for your feedback on Debian documentation, it's appreciated.

On Mon, Jun 02, 2014 at 02:41:29PM +0100, Dominic Walden wrote:
> Hello, I sent this email to Javier some time ago. I'm not sure whether
> it got lost, ignored, or filed somewhere for later consideration, so
> I'm posting it here. So, sorry to Javier if I sound like a broken
> record.

No problem.  Could you please paste this message in a Debian bugreport?  That
way, for sure it won't get lost.  There is a specific Debian "package" for
reporting issues with the Securing Debian Manual.

> *** Start of message ***
> Hi,
> 
> I've been working my way through this manual to increase the security
> of my computer and I have a suggestion for the firewall script
> presented in section 5.14.3.2.
> 
> As Debian have started to use dependency based boot sequencing since
> Squeeze[1] init.d scripts need an LSB header, and configuring the boot
> sequence should be left up to insserv (not update-rc.d). Otherwise, it
> may behave differently than the author of the section had intended.
> 
> My modified version begins like this:
> 
>  #!/bin/sh ## BEGIN INIT INFO Provides: myfirewall Required-Start:
>  #$local_fs Required-Stop: $local_fs Default-Start: S Default-Stop: 0
>  #6 X-Start-Before: $network X-Stop-After: $network Short-Description:
>  #My custom firewall.  ## END INIT INFO
> 
> which will start the script in S and stop it in 0 and 6, just like the
> section recommends. It will also start it before the network goes up
> and stop it after the network goes down.
> 
> To setup the boot script I just had to run: insserv myfirewall
> 
> 
> Also, I believe there is an error in the script:
> 
>  # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables
>  -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
>  else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi
> 
> If $NETWORK_MGMT and $SSH_PORT are not set (which they are not by
> default in the script) the else path will be taken and iptables will
> return an error because --dport is given no arguments.
> 
> I'm not certain of the authors intentions but is the else branch
> needed at all? If users who have not setup a management network want
> to accept input to the ssh port they can add it to $TCP_SERVICES.
> 
> Personally, I just removed that whole section because I don't want to
> setup a management network.
> 
> I have been running the script with the above modifications for a few
> days now without issue.
> *** End of Message ***
> 
> 
> If you want, I could make a patch file?


Yes please, that makes it easier to adjust the manual.

NB: I did not (yet) study the content of your suggestion; I'm not (yet)
sure wether it will get applied.  Maybe some finetuning is needed.

Thanks again for your feedback, Bye,

Joost

Reply to:

Follow-Ups:
- Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
  - From: Dominic Walden <dominic@dwalden.co.uk>

References:
- Securing Debian Manual: Section 5.14.3.2 suggested additions
  - From: Dominic Walden <dominic@dwalden.co.uk>

Prev by Date: r10419 - /man-cgi/extractor/compare-manpage-stats.pl
Next by Date: Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
Previous by thread: Securing Debian Manual: Section 5.14.3.2 suggested additions
Next by thread: Re: Securing Debian Manual: Section 5.14.3.2 suggested additions
Index(es):
- Date
- Thread