Installation with netinst & PPPoE: Is the firewall enabled?

Help with issues regarding installation of Debian

Installation with netinst & PPPoE: Is the firewall enabled?

Postby debianfreedom » 2020-04-09 11:16

Hello community. I'm planning to install Debian with the netinst installer and a PPPoE connection. The Debian Installation Guide says that it can be done with the boot parameter "modules=ppp-udeb". My question is: Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done? Or do I have to manually enable the firewall, with some iptables commands in the command line, before the installer makes the connection?

The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.

Thank you
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby Head_on_a_Stick » 2020-04-09 11:53

debianfreedom wrote:Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done?

No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.

debianfreedom wrote:The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.

Why do you think this? What is your suggested avenue of attack?

I'm pretty sure the installer doesn't listen to any ports.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12785
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-09 12:41

Well, I always use internet with the firewall enabled, so incomming connections can't connect to my computer. You are right that, if no processes are listening for incomming connections, then connections can't be done. So if we are sure that no processes are listening during the installation, then probably the firewall is not required. That's ok (but sincerelly, I would prefer to have a firewall while I'm connected to internet :-)).
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-10 08:32

Hello again. How about ping (ICMP protocol)? As far as I know, ICMP doesn't require a listening process, it's the kernel itself who responds to ping requests. Thus if an attacker sends me a ping request, and my firewall is disabled, then my computer will respond, he/she will receive the ping response, will deduce that my firewall is disabled and will try other methods to attack.

For example, the attacker could try to exploit ICMP vulnerabilities. And if there are other protocols that don't require a listening process, then he/she will try to exploit them too.

If my analysis is correct, having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby Head_on_a_Stick » 2020-04-10 10:36

debianfreedom wrote:How about ping (ICMP protocol)?

Leaving ICMP enabled is not considered to be bad practice. See also https://security.stackexchange.com/ques ... block-icmp

debianfreedom wrote:exploit ICMP vulnerabilities

Not many of those exist: https://www.cvedetails.com/product/3563 ... or_id=2089

And those that do tend to be DDoS attacks, which would only affect servers.

debianfreedom wrote:having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.

If no processes are listening to any ports then having a firewall enabled will not protect you in any way. But enable one if you want, it won't do any harm.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12785
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-10 11:28

I see, thank you for the information.

How can I enable the firewall? Is the iptables command available during the installation?
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby Head_on_a_Stick » 2020-04-10 15:59

debianfreedom wrote:Is the iptables command available during the installation?

No.

EDIT: actually you can if you choose the expert installer, get to the mount CD bit then open a shell and use udpkg to install the iptables .deb package from the pool.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12785
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-11 16:29

Thank you. Can I do it in the standard (not expert) installer? The manual says that a shell is available in the second terminal (alt+f2 in text mode, ctrl+alt+f2 in graphical mode). Can I mount the CD and install the .deb at some step of the standard installation (before the PPPoE connection)? For example:

mount /dev/cdrom /mnt/cdrom
udpkg -i /mnt/cdrom/pool/.../iptables.deb
iptables -I ...
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby Head_on_a_Stick » 2020-04-11 17:44

debianfreedom wrote:Can I do it in the standard (not expert) installer?

Yeah, sure. Try it and report back if you can make it work. You will also need to install all of the library .debs in the iptables pool directory.

I tried messing around with a netinstall image in QEMU and I can't get the ip_tables module loaded so it might not be possible.

Perhaps pH will spot this thread and offer better assistance, they know the installer (and iptables) better than me.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12785
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby p.H » 2020-04-12 07:48

AFAICS, iptables support is not available in the Debian installer kernel and there is no debian-installer package providing iptables kernel modules.

If you worry about that, I guess you can do the installation from a Debian live system using the "Calamares" graphic installer after setting up a firewall. Or you can do an offline installation with the Debian installer, set up a firewall and complete the installation with tasksel when online.

Edit :
I have not tested it extensively, but it may also be possible to do the following :
- launch the expert install
- skip the network interface configuration
- partition and install the base system
- at this stage, iptables and the netfilter kernel modules are installed in the target system. You can run commands in the target system with
Code: Select all
in-target --pass-stdout <command>

(without --pass-stdout the standard output is sent to /var/log/syslog by default ; the standard error output is only sent to /var/log/syslog)
Note that you may have to load required kernel modules by hand with modprobe.
- then go back to configure the network
- configure the package manager and install software
p.H
 
Posts: 1521
Joined: 2017-09-17 07:12

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby None1975 » 2020-04-12 11:31

Head_on_a_Stick wrote:No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.

Yes, iptables is not be default enabled, but this program is installed by default. This is on my Debian 10 installation. I installed it with network installer.
OS: Debian 10.3 Buster / WM: xmonad
Debian Wiki | DontBreakDebian, My config files on github
User avatar
None1975
 
Posts: 1019
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby p.H » 2020-04-12 11:51

The topic is about iptables (or nftables) in the Debian installer, not the installed system.
p.H
 
Posts: 1521
Joined: 2017-09-17 07:12

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-12 15:54

Thank both of you. I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian), thus I would go for an offline installation. Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst? Or do I have to download the big images (DVDs) and install everything offline?
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby p.H » 2020-04-12 16:33

debianfreedom wrote:I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian)

"Expert install" is not reserved to experts. The main differences with normal install are that it goes back to the main menu after each step, and asks extra question. When you don't know what to answer, just leave the default answer.

debianfreedom wrote: Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst?

Yes if you mean set up the firewall yourself with iptables, but you will have to set up the network in /etc/network/interfaces, main and security repositories in /etc/apt/sources.list by yourself and update the sources with apt update. Then you can run tasksel and select a desktop environment and so on.
p.H
 
Posts: 1521
Joined: 2017-09-17 07:12

Re: Installation with netinst & PPPoE: Is the firewall enabl

Postby debianfreedom » 2020-04-13 17:53

Hmmm, problems everywhere :(

Ok, I will probably give a try to some of the other options:
- expert install
- live install
- DVDs offline install

I'll do the installation next month or so. Thank you for the great support :wink:
debianfreedom
 
Posts: 7
Joined: 2020-04-09 11:09


Return to Installation

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable