Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Installation with netinst & PPPoE: Is the firewall enabled?

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Installation with netinst & PPPoE: Is the firewall enabled?

#1 Post by debianfreedom »

Hello community. I'm planning to install Debian with the netinst installer and a PPPoE connection. The Debian Installation Guide says that it can be done with the boot parameter "modules=ppp-udeb". My question is: Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done? Or do I have to manually enable the firewall, with some iptables commands in the command line, before the installer makes the connection?

The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.

Thank you

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#2 Post by Head_on_a_Stick »

debianfreedom wrote:Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done?
No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.
debianfreedom wrote:The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.
Why do you think this? What is your suggested avenue of attack?

I'm pretty sure the installer doesn't listen to any ports.
deadbang

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#3 Post by debianfreedom »

Well, I always use internet with the firewall enabled, so incomming connections can't connect to my computer. You are right that, if no processes are listening for incomming connections, then connections can't be done. So if we are sure that no processes are listening during the installation, then probably the firewall is not required. That's ok (but sincerelly, I would prefer to have a firewall while I'm connected to internet :-)).

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#4 Post by debianfreedom »

Hello again. How about ping (ICMP protocol)? As far as I know, ICMP doesn't require a listening process, it's the kernel itself who responds to ping requests. Thus if an attacker sends me a ping request, and my firewall is disabled, then my computer will respond, he/she will receive the ping response, will deduce that my firewall is disabled and will try other methods to attack.

For example, the attacker could try to exploit ICMP vulnerabilities. And if there are other protocols that don't require a listening process, then he/she will try to exploit them too.

If my analysis is correct, having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#5 Post by Head_on_a_Stick »

debianfreedom wrote:How about ping (ICMP protocol)?
Leaving ICMP enabled is not considered to be bad practice. See also https://security.stackexchange.com/ques ... block-icmp
debianfreedom wrote:exploit ICMP vulnerabilities
Not many of those exist: https://www.cvedetails.com/product/3563 ... or_id=2089

And those that do tend to be DDoS attacks, which would only affect servers.
debianfreedom wrote:having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.
If no processes are listening to any ports then having a firewall enabled will not protect you in any way. But enable one if you want, it won't do any harm.
deadbang

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#6 Post by debianfreedom »

I see, thank you for the information.

How can I enable the firewall? Is the iptables command available during the installation?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#7 Post by Head_on_a_Stick »

debianfreedom wrote:Is the iptables command available during the installation?
No.

EDIT: actually you can if you choose the expert installer, get to the mount CD bit then open a shell and use udpkg to install the iptables .deb package from the pool.
deadbang

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#8 Post by debianfreedom »

Thank you. Can I do it in the standard (not expert) installer? The manual says that a shell is available in the second terminal (alt+f2 in text mode, ctrl+alt+f2 in graphical mode). Can I mount the CD and install the .deb at some step of the standard installation (before the PPPoE connection)? For example:

mount /dev/cdrom /mnt/cdrom
udpkg -i /mnt/cdrom/pool/.../iptables.deb
iptables -I ...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#9 Post by Head_on_a_Stick »

debianfreedom wrote:Can I do it in the standard (not expert) installer?
Yeah, sure. Try it and report back if you can make it work. You will also need to install all of the library .debs in the iptables pool directory.

I tried messing around with a netinstall image in QEMU and I can't get the ip_tables module loaded so it might not be possible.

Perhaps pH will spot this thread and offer better assistance, they know the installer (and iptables) better than me.
deadbang

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#10 Post by p.H »

AFAICS, iptables support is not available in the Debian installer kernel and there is no debian-installer package providing iptables kernel modules.

If you worry about that, I guess you can do the installation from a Debian live system using the "Calamares" graphic installer after setting up a firewall. Or you can do an offline installation with the Debian installer, set up a firewall and complete the installation with tasksel when online.

Edit :
I have not tested it extensively, but it may also be possible to do the following :
- launch the expert install
- skip the network interface configuration
- partition and install the base system
- at this stage, iptables and the netfilter kernel modules are installed in the target system. You can run commands in the target system with

Code: Select all

in-target --pass-stdout <command>
(without --pass-stdout the standard output is sent to /var/log/syslog by default ; the standard error output is only sent to /var/log/syslog)
Note that you may have to load required kernel modules by hand with modprobe.
- then go back to configure the network
- configure the package manager and install software

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#11 Post by None1975 »

Head_on_a_Stick wrote:No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.
Yes, iptables is not be default enabled, but this program is installed by default. This is on my Debian 10 installation. I installed it with network installer.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#12 Post by p.H »

The topic is about iptables (or nftables) in the Debian installer, not the installed system.

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#13 Post by debianfreedom »

Thank both of you. I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian), thus I would go for an offline installation. Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst? Or do I have to download the big images (DVDs) and install everything offline?

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Installation with netinst & PPPoE: Is the firewall enabl

#14 Post by p.H »

debianfreedom wrote:I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian)
"Expert install" is not reserved to experts. The main differences with normal install are that it goes back to the main menu after each step, and asks extra question. When you don't know what to answer, just leave the default answer.
debianfreedom wrote: Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst?
Yes if you mean set up the firewall yourself with iptables, but you will have to set up the network in /etc/network/interfaces, main and security repositories in /etc/apt/sources.list by yourself and update the sources with apt update. Then you can run tasksel and select a desktop environment and so on.

debianfreedom
Posts: 7
Joined: 2020-04-09 11:09

Re: Installation with netinst & PPPoE: Is the firewall enabl

#15 Post by debianfreedom »

Hmmm, problems everywhere :(

Ok, I will probably give a try to some of the other options:
- expert install
- live install
- DVDs offline install

I'll do the installation next month or so. Thank you for the great support :wink:

Post Reply