On Mon, Jan 23, 2006 at 01:02:16PM +1100, Daniel Pittman wrote:
> gcrimp@vcn.bc.ca writes:
>
> G'day.
>
> > I want to set up a firewall to protect my home network. I'm a little
> > paranoid about a warning I read in the Securing Debian howto. It says that
> > misusing iptables "[o]ne can even manage to lock himself out of the computer
> > who's keyboard is under his fingers." Can anyone tell me what iptables rule
> > set could lead to being locked out at the console? Does console access go
> > through the "lo" interface?
>
> That warning, presumably, is (badly worded, and) about locking your self
> out if you use SSH or something to access the server. The local,
> physically connected keyboard does *not* touch the network at all.
I'm not so sure about that. What I quoted from the howto is itself a quote
from /usr/share/doc/iptables/README.Debian. A more complete quote is:
"The iptables package consists of a set of powerful packet filtering
administration tools for netfilter. The tools can easily be misused,
causing enormous amounts of grief by completely cripple network access
to a computer system. It is not terribly uncommon for a remote system
administrator to accidentally lock himself out of a system hundreds or
thousands of miles away. One can even manage to lock himself out of a
computer who's keyboard is under his fingers.
I think the remote problem you suggest is already covered in this quote. I
have to guess that the sentence I included in my OP refers to something
else. Now that I have determined from where the original quote comes, I
guess I can ask the author what he means by it.
>
> >>From rfc3330, I got a list of network addresses that shouldn't routed on the
> > public network, and thus should be ignored if appearing as the source
> > address on a packet coming in on the public side of the firewall. So
> > far I have, in addition to the obvious localnet, and the three blocks
> > reserverd for private networks 240/4, 169.254/16, 192.0.2/24, and
> > 198.18/15.
> >
> > However, that same rfc also mentions 0.0.0.0/8 as referring to "this"
> > network, and 0.0.0.0/32 as referring to "this" host on "this"
> > network. I don't get this. In routing tables, does 0.0.0.0 mean
> > "anywhere" or some such. Should I be allowing packets with a source
> > ip of 0.0.0.0 or dropping them?
>
> My personal suggestion, here, would be that you look at starting out
> with something pre-existing that takes some of these decisions out of
> your hands.
I did try shorewall when I first looked at iptables some time ago (a little
discouraged by yet another change in the firewalling, ie., ipfwadm ->
ipchains -> iptables) hoping to save myself some trouble. But I found
shorewall to be as much work. Way too many configuration files to be
bouncing between and a logic that seemed to me to be way more convoluted
than simply learning iptables. The generated iptables rules as revealed by
-L also seemed to be overkill for my relatively simple needs.
Maybe I'll follow your suggestion and have a look at firehol, though.
I'm still wondering if someone can explain the rfc3330 description of
0.0.0.0 to me. Doesn't seem to make much sense.
Thanks everyone for the suggestions.
Gerald