Re: fw newb, locking oneself out, unroutable addresses
gcrimp@vcn.bc.ca writes:
> On Mon, Jan 23, 2006 at 01:02:16PM +1100, Daniel Pittman wrote:
>> gcrimp@vcn.bc.ca writes:
>>
>> G'day.
>>
>> > I want to set up a firewall to protect my home network. I'm a little
>> > paranoid about a warning I read in the Securing Debian howto. It says that
>> > misusing iptables "[o]ne can even manage to lock himself out of the computer
>> > who's keyboard is under his fingers." Can anyone tell me what iptables rule
>> > set could lead to being locked out at the console? Does console access go
>> > through the "lo" interface?
>>
>> That warning, presumably, is (badly worded, and) about locking your self
>> out if you use SSH or something to access the server. The local,
>> physically connected keyboard does *not* touch the network at all.
>
> I'm not so sure about that.
Really, trust me here: the keyboard input layer is not connected to the
network layer in any way...
> What I quoted from the howto is itself a quote from
> /usr/share/doc/iptables/README.Debian. A more complete quote is:
>
> "The iptables package consists of a set of powerful packet filtering
> administration tools for netfilter. The tools can easily be misused,
> causing enormous amounts of grief by completely cripple network access
> to a computer system. It is not terribly uncommon for a remote system
> administrator to accidentally lock himself out of a system hundreds or
> thousands of miles away. One can even manage to lock himself out of a
> computer who's keyboard is under his fingers.
>
> I think the remote problem you suggest is already covered in this quote.
...and that just confuses me.
> I have to guess that the sentence I included in my OP refers to
> something else. Now that I have determined from where the original
> quote comes, I guess I can ask the author what he means by it.
Indeed. I would be curious -- the situation described is, to my eyes,
almost completely impossible. You could, in theory, prevent X from
functioning or cause an input method of some sort to fail, but otherwise
it really would be quite impractical.
[...]
> I did try shorewall when I first looked at iptables some time ago (a little
> discouraged by yet another change in the firewalling, ie., ipfwadm ->
> ipchains -> iptables) hoping to save myself some trouble. But I found
> shorewall to be as much work. Way too many configuration files to be
> bouncing between and a logic that seemed to me to be way more convoluted
> than simply learning iptables.
Yeah, that was surely my feeling, but many other people love it.
> The generated iptables rules as revealed by -L also seemed to be
> overkill for my relatively simple needs. Maybe I'll follow your
> suggestion and have a look at firehol, though.
Firehol is the first of the helpers that I actually felt, well, helped.
It doesn't try to be anything but an easier way of defining an iptables
system, which I appreciated.
The generated stuff is a bit more complex than the simplest script you
might write by hand, but generally it doesn't do anything too baroque.
Daniel
Reply to: