[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fw newb, locking oneself out, unroutable addresses

gcrimp@vcn.bc.ca writes:
> On Mon, Jan 23, 2006 at 01:02:16PM +1100, Daniel Pittman wrote:
>> gcrimp@vcn.bc.ca writes:
>> 
>> G'day.
>> 
>> > I want to set up a firewall to protect my home network.  I'm a little
>> > paranoid about a warning I read in the Securing Debian howto.  It says that
>> > misusing iptables "[o]ne can even manage to lock himself out of the computer
>> > who's keyboard is under his fingers."  Can anyone tell me what iptables rule
>> > set could lead to being locked out at the console?  Does console access go
>> > through the "lo" interface?
>> 
>> That warning, presumably, is (badly worded, and) about locking your self
>> out if you use SSH or something to access the server.  The local,
>> physically connected keyboard does *not* touch the network at all.
>
> I'm not so sure about that.  

Really, trust me here: the keyboard input layer is not connected to the
network layer in any way...

> What I quoted from the howto is itself a quote from
> /usr/share/doc/iptables/README.Debian.  A more complete quote is:
>
>     "The iptables package consists of a set of powerful packet filtering
>      administration tools for netfilter. The tools can easily be misused,
>      causing enormous amounts of grief by completely cripple network access
>      to a computer system. It is not terribly uncommon for a remote system
>      administrator to accidentally lock himself out of a system hundreds or
>      thousands of miles away. One can even manage to lock himself out of a
>      computer who's keyboard is under his fingers.
>
> I think the remote problem you suggest is already covered in this quote.  

...and that just confuses me.  

> I have to guess that the sentence I included in my OP refers to
> something else.  Now that I have determined from where the original
> quote comes, I guess I can ask the author what he means by it.

Indeed.  I would be curious -- the situation described is, to my eyes,
almost completely impossible.  You could, in theory, prevent X from
functioning or cause an input method of some sort to fail, but otherwise
it really would be quite impractical.

[...]

> I did try shorewall when I first looked at iptables some time ago (a little
> discouraged by yet another change in the firewalling, ie., ipfwadm ->
> ipchains -> iptables) hoping to save myself some trouble.  But I found
> shorewall to be as much work.  Way too many configuration files to be
> bouncing between and a logic that seemed to me to be way more convoluted
> than simply learning iptables.  

Yeah, that was surely my feeling, but many other people love it. 

> The generated iptables rules as revealed by -L also seemed to be
> overkill for my relatively simple needs.  Maybe I'll follow your
> suggestion and have a look at firehol, though.

Firehol is the first of the helpers that I actually felt, well, helped.
It doesn't try to be anything but an easier way of defining an iptables
system, which I appreciated.

The generated stuff is a bit more complex than the simplest script you
might write by hand, but generally it doesn't do anything too baroque.

      Daniel
Reply to: