[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing Debian Manual: Section suggested additions

Hi Dominic,

Thanks for your feedback on Debian documentation, it's appreciated.

On Mon, Jun 02, 2014 at 02:41:29PM +0100, Dominic Walden wrote:
> Hello, I sent this email to Javier some time ago. I'm not sure whether
> it got lost, ignored, or filed somewhere for later consideration, so
> I'm posting it here. So, sorry to Javier if I sound like a broken
> record.

No problem.  Could you please paste this message in a Debian bugreport?  That
way, for sure it won't get lost.  There is a specific Debian "package" for
reporting issues with the Securing Debian Manual.

> *** Start of message ***
> Hi,
> I've been working my way through this manual to increase the security
> of my computer and I have a suggestion for the firewall script
> presented in section
> As Debian have started to use dependency based boot sequencing since
> Squeeze[1] init.d scripts need an LSB header, and configuring the boot
> sequence should be left up to insserv (not update-rc.d). Otherwise, it
> may behave differently than the author of the section had intended.
> My modified version begins like this:
>  #!/bin/sh ## BEGIN INIT INFO Provides: myfirewall Required-Start:
>  #$local_fs Required-Stop: $local_fs Default-Start: S Default-Stop: 0
>  #6 X-Start-Before: $network X-Stop-After: $network Short-Description:
>  #My custom firewall.  ## END INIT INFO
> which will start the script in S and stop it in 0 and 6, just like the
> section recommends. It will also start it before the network goes up
> and stop it after the network goes down.
> To setup the boot script I just had to run: insserv myfirewall
> Also, I believe there is an error in the script:
>  # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables
>  -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
>  else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi
> If $NETWORK_MGMT and $SSH_PORT are not set (which they are not by
> default in the script) the else path will be taken and iptables will
> return an error because --dport is given no arguments.
> I'm not certain of the authors intentions but is the else branch
> needed at all? If users who have not setup a management network want
> to accept input to the ssh port they can add it to $TCP_SERVICES.
> Personally, I just removed that whole section because I don't want to
> setup a management network.
> I have been running the script with the above modifications for a few
> days now without issue.
> *** End of Message ***
> If you want, I could make a patch file?

Yes please, that makes it easier to adjust the manual.

NB: I did not (yet) study the content of your suggestion; I'm not (yet)
sure wether it will get applied.  Maybe some finetuning is needed.

Thanks again for your feedback, Bye,


Reply to: