[wplug] dialup security

Vance Kochenderfer vkochend at nyx.net
Fri Oct 12 22:12:06 EDT 2007 

(I already replied directly to Zach, but I'm posting here for the
benefit of the archives.)

Zach wrote:
> 
> On 7/19/05, Vance Kochenderfer <vkochend at nyx.net> wrote:
> >
> > I'm not sure how Debian handles firewall configuration.  Mandrake and
> > Red Hat have a file /etc/sysconfig/iptables which is read in when the
> > iptables service is started.  I've appended an edited version of the
> > rules I use.
> [...]
> 
> Thanks for the rules Vance. Any idea how I can have my firewall loaded
> when I am online? I am only online 3-4 hours a day so I don't want
> this firewall running during all my uptime :) I use pon to manuallyt
> start my PPP dialup connection and poff to end it manually.

The firewall (officially named "netfilter") is part of the kernel;
it doesn't run at a separate process.  There's no practical benefit
to trying to disable it when you're not online (in theory, I guess
you could save a tiny bit of memory by unloading the netfilter
modules when you're offline, but it's not worth it since the kernel
is smart enough to swap out unused code if it needs the memory).

> > A brief description:
> >  - Allow all packets out of the machine (probably safe)
> >  - Drop all packets coming in by default
> >  - Allow all packets coming in on the loopback interface
> >  - Allow all packets coming in on the ethernet card (could be unsafe
> >    if you have potentially compromised machines on your network)
> >  - Allow packets in for time synchronization (I'm not aware of any
> >    ntpd exploits)
> 
> Will i still be able to read/send email, play netrek (uses UDP), use
> IM (gaim/amsn), browse the web and accept cookies, use
> ping/traceroute/nslookup, and use ssh?
> Oh I also run the Open AFS client (uses kerberos).

Yes, with the following caveats.
- If you are receiving mail by running your own SMTP server, you
  will need to open a port to allow mailservers to reach it
- Unless the conntrack (connection tracking) subsystem knows about
  netrek, you'll have to open a port for that also
- It's possible that AIM/MSN may need ports opened, but that's less
  likely IMO - you can experiment and find out
- I know nothing about AFS, so can't help you there  :)

> >  - Log and drop packets coming in on PPP interfaces to certain
> >    interesting ports (since drop is the default, you can remove
> >    these lines if you're not excited by reading logs of failed
> >    attacks) - needs ipt_LOG kernel module loaded
> 
> How can I enable this kernel module? I run a Debianized stock 2.6.18
> kernel image.
> 
> >  - Drop ICMP redirect packets (probably redundant?)
> >  - Allow in packets associated with an existing connection - needs
> >    ip_conntrack and ipt_state kernel modules loaded
> >  - Disable forwarding between PPP and other networks
> 
> How do I load these 2 kernel modules? I want them to stay loaded so I
> don't have to do it each time I boot.

Mandriva does it for me automagically.  Not sure what the Debian
way is, but listing them in /etc/modules may do the trick.

> Oh and what do I do with that iptables ruleset you gave me? I mean how
> do I load the rules? I never used a firewall before. Trying to become
> more security conscious.

Mandriva comes with an init script /etc/init.d/iptables.  It
basically just calls iptables-restore to load the ruleset.  To do
it manually you could do
  # iptables-restore -c < rulesetfile
where rulesetfile is the file containing the ruleset.

But you may be better off using one of the tools described in
<http://wiki.debian.org/Firewalls> to set things up.  There are some
good basic tutorials linked from there and from
<http://wiki.debian.org/iptables>.  I started out doing it the hard
way, so haven't played around with the nice graphical tools to see
which are best.

> BTW how do you know if an attack is in progress? What tool(s) can I
> use to alert me to what is happening? I can't spend all my time
> reading /var/log/messages :)

That's a whole 'nother kettle of fish.  Look up intrusion detection
systems (IDS) on Google and you can burn a weekend just getting
started reading about it.  :)

Personally, I don't spend much time worrying about intrusions, but
then again I don't run any server daemons.  Not having an always-
on Internet connection helps, too.

Vance Kochenderfer        |  "Get me out of these ropes and into a
vkochend at nyx.net          |   good belt of Scotch"    -Nick Danger

More information about the wplug mailing list