[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual
Appendix F - Security update protected by a firewall


After a standard installation, a system may still have some security vulnerabilities. Unless you can download updates for the vulnerable packages on another system (or you have mirrored security.debian.org for local use), the system will have to be connected to the Internet for the downloads.

However, as soon as you connect to the Internet you are exposing this system. If one of your local services is vulnerable, you might be compromised even before the update is finished! This may seem paranoid but, in fact, analysis from the Honeynet Project has shown that systems can be compromised in less than three days, even if the system is not publicly known (i.e., not published in DNS records).

When doing an update on a system not protected by an external system like a firewall, it is possible to properly configure your local firewall to restrict connections involving only the security update itself. The example below shows how to set up such local firewall capabilities, which allow connections from security.debian.org only, logging all others.

FIXME: add IP address for security.debian.org (since otherwise you need DNS up to work) on /etc/hosts.

FIXME: test this setup to see if it works properly

FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode.

       # iptables -F
       # iptables -L
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination
     
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination
     
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination
       # iptables -P INPUT DROP
       # iptables -P FORWARD DROP
       # iptables -P OUTPUT DROP
       # iptables -A OUTPUT -d security.debian.org -p 80 -j ACCEPT
       # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
       # iptables -A INPUT -p icmp -j ACCEPT
       # iptables -A INPUT -j LOG
       # iptables -A OUTPUT -j LOG
       # iptables -L
       Chain INPUT (policy DROP)
       target     prot opt source               destination
       ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
       ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
       LOG        all  --  anywhere             anywhere           LOG level warning
     
       Chain FORWARD (policy DROP)
       target     prot opt source               destination
     
       Chain OUTPUT (policy DROP)
       target     prot opt source               destination
       ACCEPT     80   --  anywhere             security.debian.org
       LOG        all  --  anywhere             anywhere           LOG level warning

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]

Securing Debian Manual

2.99 18 April 2004Wed, 3 Mar 2004 09:18:54 +0100

Javier Fernández-Sanguino Peña jfs@computer.org