Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Installation with netinst & PPPoE: Is the firewall enabled?
-
- Posts: 7
- Joined: 2020-04-09 11:09
Installation with netinst & PPPoE: Is the firewall enabled?
Hello community. I'm planning to install Debian with the netinst installer and a PPPoE connection. The Debian Installation Guide says that it can be done with the boot parameter "modules=ppp-udeb". My question is: Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done? Or do I have to manually enable the firewall, with some iptables commands in the command line, before the installer makes the connection?
The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.
Thank you
The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.
Thank you
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.debianfreedom wrote:Is the linux firewall (iptables) enabled automatically, with a good config, when the PPPoE connection is done?
Why do you think this? What is your suggested avenue of attack?debianfreedom wrote:The linux firewall must be enabled because the PPPoE connection gives a public IP to the computer, so it could be attacked.
I'm pretty sure the installer doesn't listen to any ports.
deadbang
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
Well, I always use internet with the firewall enabled, so incomming connections can't connect to my computer. You are right that, if no processes are listening for incomming connections, then connections can't be done. So if we are sure that no processes are listening during the installation, then probably the firewall is not required. That's ok (but sincerelly, I would prefer to have a firewall while I'm connected to internet ).
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
Hello again. How about ping (ICMP protocol)? As far as I know, ICMP doesn't require a listening process, it's the kernel itself who responds to ping requests. Thus if an attacker sends me a ping request, and my firewall is disabled, then my computer will respond, he/she will receive the ping response, will deduce that my firewall is disabled and will try other methods to attack.
For example, the attacker could try to exploit ICMP vulnerabilities. And if there are other protocols that don't require a listening process, then he/she will try to exploit them too.
If my analysis is correct, having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.
For example, the attacker could try to exploit ICMP vulnerabilities. And if there are other protocols that don't require a listening process, then he/she will try to exploit them too.
If my analysis is correct, having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
Leaving ICMP enabled is not considered to be bad practice. See also https://security.stackexchange.com/ques ... block-icmpdebianfreedom wrote:How about ping (ICMP protocol)?
Not many of those exist: https://www.cvedetails.com/product/3563 ... or_id=2089debianfreedom wrote:exploit ICMP vulnerabilities
And those that do tend to be DDoS attacks, which would only affect servers.
If no processes are listening to any ports then having a firewall enabled will not protect you in any way. But enable one if you want, it won't do any harm.debianfreedom wrote:having the firewall disabled while connected to the internet could be a risk, even if no processes are listening for connections.
deadbang
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
I see, thank you for the information.
How can I enable the firewall? Is the iptables command available during the installation?
How can I enable the firewall? Is the iptables command available during the installation?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
No.debianfreedom wrote:Is the iptables command available during the installation?
EDIT: actually you can if you choose the expert installer, get to the mount CD bit then open a shell and use udpkg to install the iptables .deb package from the pool.
deadbang
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
Thank you. Can I do it in the standard (not expert) installer? The manual says that a shell is available in the second terminal (alt+f2 in text mode, ctrl+alt+f2 in graphical mode). Can I mount the CD and install the .deb at some step of the standard installation (before the PPPoE connection)? For example:
mount /dev/cdrom /mnt/cdrom
udpkg -i /mnt/cdrom/pool/.../iptables.deb
iptables -I ...
mount /dev/cdrom /mnt/cdrom
udpkg -i /mnt/cdrom/pool/.../iptables.deb
iptables -I ...
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
Yeah, sure. Try it and report back if you can make it work. You will also need to install all of the library .debs in the iptables pool directory.debianfreedom wrote:Can I do it in the standard (not expert) installer?
I tried messing around with a netinstall image in QEMU and I can't get the ip_tables module loaded so it might not be possible.
Perhaps pH will spot this thread and offer better assistance, they know the installer (and iptables) better than me.
deadbang
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
AFAICS, iptables support is not available in the Debian installer kernel and there is no debian-installer package providing iptables kernel modules.
If you worry about that, I guess you can do the installation from a Debian live system using the "Calamares" graphic installer after setting up a firewall. Or you can do an offline installation with the Debian installer, set up a firewall and complete the installation with tasksel when online.
Edit :
I have not tested it extensively, but it may also be possible to do the following :
- launch the expert install
- skip the network interface configuration
- partition and install the base system
- at this stage, iptables and the netfilter kernel modules are installed in the target system. You can run commands in the target system with
(without --pass-stdout the standard output is sent to /var/log/syslog by default ; the standard error output is only sent to /var/log/syslog)
Note that you may have to load required kernel modules by hand with modprobe.
- then go back to configure the network
- configure the package manager and install software
If you worry about that, I guess you can do the installation from a Debian live system using the "Calamares" graphic installer after setting up a firewall. Or you can do an offline installation with the Debian installer, set up a firewall and complete the installation with tasksel when online.
Edit :
I have not tested it extensively, but it may also be possible to do the following :
- launch the expert install
- skip the network interface configuration
- partition and install the base system
- at this stage, iptables and the netfilter kernel modules are installed in the target system. You can run commands in the target system with
Code: Select all
in-target --pass-stdout <command>
Note that you may have to load required kernel modules by hand with modprobe.
- then go back to configure the network
- configure the package manager and install software
- None1975
- df -h | participant
- Posts: 1389
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 45 times
- Been thanked: 66 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
Yes, iptables is not be default enabled, but this program is installed by default. This is on my Debian 10 installation. I installed it with network installer.Head_on_a_Stick wrote:No, iptables is not enabled (or installed AFAICT). And anyway the default configuration is empty.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
Thank both of you. I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian), thus I would go for an offline installation. Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst? Or do I have to download the big images (DVDs) and install everything offline?
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Installation with netinst & PPPoE: Is the firewall enabl
"Expert install" is not reserved to experts. The main differences with normal install are that it goes back to the main menu after each step, and asks extra question. When you don't know what to answer, just leave the default answer.debianfreedom wrote:I'd prefer to avoid expert installation and live installation for now (it's the first time I install Debian)
Yes if you mean set up the firewall yourself with iptables, but you will have to set up the network in /etc/network/interfaces, main and security repositories in /etc/apt/sources.list by yourself and update the sources with apt update. Then you can run tasksel and select a desktop environment and so on.debianfreedom wrote: Can I use the little image (netinst) to do an offline installation (basic), then boot the new system, setup the firewall and run some command to launch a package installer similar to the one of netinst?
-
- Posts: 7
- Joined: 2020-04-09 11:09
Re: Installation with netinst & PPPoE: Is the firewall enabl
Hmmm, problems everywhere
Ok, I will probably give a try to some of the other options:
- expert install
- live install
- DVDs offline install
I'll do the installation next month or so. Thank you for the great support
Ok, I will probably give a try to some of the other options:
- expert install
- live install
- DVDs offline install
I'll do the installation next month or so. Thank you for the great support