Re: fw newb, locking oneself out, unroutable addresses

To: debian-firewall@lists.debian.org
Subject: Re: fw newb, locking oneself out, unroutable addresses
From: Daniel Pittman <daniel@rimspace.net>
Date: Mon, 23 Jan 2006 13:02:16 +1100
Message-id: <[🔎] 877j8rk8gn.fsf@rimspace.net>
References: <[🔎] 20060122013500.A16071@humble>

gcrimp@vcn.bc.ca writes:

G'day.

> I want to set up a firewall to protect my home network.  I'm a little
> paranoid about a warning I read in the Securing Debian howto.  It says that
> misusing iptables "[o]ne can even manage to lock himself out of the computer
> who's keyboard is under his fingers."  Can anyone tell me what iptables rule
> set could lead to being locked out at the console?  Does console access go
> through the "lo" interface?

That warning, presumably, is (badly worded, and) about locking your self
out if you use SSH or something to access the server.  The local,
physically connected keyboard does *not* touch the network at all.

>>From rfc3330, I got a list of network addresses that shouldn't routed on the
> public network, and thus should be ignored if appearing as the source
> address on a packet coming in on the public side of the firewall.  So
> far I have, in addition to the obvious localnet, and the three blocks
> reserverd for private networks 240/4, 169.254/16, 192.0.2/24, and
> 198.18/15.
>
> However, that same rfc also mentions 0.0.0.0/8 as referring to "this"
> network, and 0.0.0.0/32 as referring to "this" host on "this"
> network. I don't get this.  In routing tables, does 0.0.0.0 mean
> "anywhere" or some such.  Should I be allowing packets with a source
> ip of 0.0.0.0 or dropping them?

My personal suggestion, here, would be that you look at starting out
with something pre-existing that takes some of these decisions out of
your hands.

You are obviously pretty clueful, but there are a lot of tricks to
managing a good firewall and it can be quite easy to make a tiny error
and invalidate the entire security system.

My recommendation would be the 'firehol' script, packaged in Debian,
which adds a bunch of helper commands to a bash script, makeing it easy
to generate a very good and solid firewall.

Alternately, if you prefer a declarative style, 'shorewall' is well
regarded.

Both of those also come with nice extras such as a 'try' mode where you
can safely change the firewall over a network connection -- if you lock
yourself out the script will restore the old firewall after a little
while.

In both cases you can easily examine the generated iptables rules,
allowing you to better learn how they function.

Firehol also comes, out of the box, with helpful definitions of the
various unroutable and private IP ranges built in.

Regards,
        Daniel

Reply to:

Follow-Ups:
- Re: fw newb, locking oneself out, unroutable addresses
  - From: gcrimp@vcn.bc.ca

References:
- fw newb, locking oneself out, unroutable addresses
  - From: gcrimp@vcn.bc.ca

Prev by Date: Re: fw newb, locking oneself out, unroutable addresses
Next by Date: Re: fw newb, locking oneself out, unroutable addresses
Previous by thread: Re: fw newb, locking oneself out, unroutable addresses
Next by thread: Re: fw newb, locking oneself out, unroutable addresses
Index(es):
- Date
- Thread