fw newb, locking oneself out, unroutable addresses

To: debian-firewall@lists.debian.org
Subject: fw newb, locking oneself out, unroutable addresses
From: gcrimp@vcn.bc.ca
Date: Sun, 22 Jan 2006 01:35:00 -0800
Message-id: <[🔎] 20060122013500.A16071@humble>
Mail-followup-to: gcrimp@vcn.bc.ca, debian-firewall@lists.debian.org
Reply-to: Debian Firewall list <debian-firewall@lists.debian.org>

Hi,

I want to set up a firewall to protect my home network.  I'm a little
paranoid about a warning I read in the Securing Debian howto.  It says that
misusing iptables "[o]ne can even manage to lock himself out of the computer
who's keyboard is under his fingers."  Can anyone tell me what iptables rule
set could lead to being locked out at the console?  Does console access go
through the "lo" interface?

>From rfc3330, I got a list of network addresses that shouldn't routed on the
public network, and thus should be ignored if appearing as the source
address on a packet coming in on the public side of the firewall.  So far I
have, in addition to the obvious localnet, and the three blocks reserverd
for private networks 240/4, 169.254/16, 192.0.2/24, and 198.18/15.

However, that same rfc also mentions 0.0.0.0/8 as referring to "this"
network, and 0.0.0.0/32 as referring to "this" host on "this" network. I
don't get this.  In routing tables, does 0.0.0.0 mean "anywhere" or some
such.  Should I be allowing packets with a source ip of 0.0.0.0 or dropping
them?


Thanks,

Gerald

Reply to:

Follow-Ups:
- Re: fw newb, locking oneself out, unroutable addresses
  - From: Wojciech Ziniewicz <wojciech.ziniewicz@gmail.com>
- Re: fw newb, locking oneself out, unroutable addresses
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: fw newb, locking oneself out, unroutable addresses
  - From: Vladimir Konrad <v.konrad@lse.ac.uk>

Prev by Date: Re:
Next by Date: Re: fw newb, locking oneself out, unroutable addresses
Previous by thread: Re:
Next by thread: Re: fw newb, locking oneself out, unroutable addresses
Index(es):
- Date
- Thread