# Official howto leaves connection wide open ?!!

## Gentree

First of all big disclaimer, I dont really understand this , that is why I am reading howto's.

BUT , it seems to me that the official Gentoo guide tells us to set up iptables in a way that in effect leaves the connection wide open.

I may be wrong , just in case I'm not I am not going to wait until I'm a networking expert to raise a red flag.

http://www.gentoo.org/doc/en/home-router-howto.xml

```
Code Listing 5.2: Setting up iptables

First we flush our current rules

# iptables -F

# iptables -t nat -F

Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

Copy and paste these examples ...

# export LAN=eth0

# export WAN=eth1

Then we lock our services so they only work from the LAN

# iptables -I INPUT 1 -i ${LAN} -j ACCEPT

# iptables -I INPUT 1 -i lo -j ACCEPT

# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT

# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

....

```

Now as I see it from what I've read so far in the configs and other guides, Gentoo over-rides eth1 and replaces it with ppp0 when it makes a connection.

This means that the only part of the above that does what it purports to do is the bit where it flushes any existing rules and sets up a default policy that lets everything IN and OUT.

Anything after that sets rules for the lan and and an irrelevant eth1 , leaving ppp0 pants-down wide open !!   :Shocked: 

Now I set this up and I could connect from the gentoo box , but the suse on the lan could not see further than my local apache on the LAN and this got me asking questions.

Please tell me I'm wrong   :Confused: 

TIA , Gentree.

----------

## kadeux

 *http://www.gentoo.org/doc/en/home-router-howto.xml?style=printable wrote:*   

> Warning: When the DSL interface comes up, it will create ppp0. Although your NIC is called eth1, the IP is actually bound to ppp0. From now on, when you see examples that utilize 'eth1', substitute with 'ppp0'.

 

----------

## Gentree

 *kadeux wrote:*   

>  *http://www.gentoo.org/doc/en/home-router-howto.xml?style=printable wrote:*   Warning: When the DSL interface comes up, it will create ppp0. Although your NIC is called eth1, the IP is actually bound to ppp0. From now on, when you see examples that utilize 'eth1', substitute with 'ppp0'. 

 

Right , so are you saying that this example DOES post a script that leaves things wide open if in reading the page we miss the vague warnging . I'd read that and seen other scripts that refered to ppp0 so I was on my guard. It did not seem to work with ppp0 so I tried it as was printed thinking maybe I was mistaken. "Surely it would not be there as eth1 if it was supposed to be ppp0?"

In fact eth1 occurs in lots of places in the rather lengthy page , and clearly we should not be substituting ppp0 everytime we see it. This makes no sense.

With something as important as this, why post some lines of commands that will leave a system open with a little note to say its wrong?

It's like printing a workshop manual telling people to put battery acid in the gearbox with a little note somewhere saying "where you read acid you should substitute oil".

This is the official Gento Documentation Howto. Users will read this because they dont understand firewalls , they will try cut and paste (no-one's going to type this lot by hand!) and it will "work" when they try to connect.

Is the bottom line here that the guy who wrote this knew it was wrong but could not be bothered to edit what he'd copied from somewhere else ?

No, I'm still hoping I'm wrong here, this is too rediculous .   :Confused: 

----------

## Wolfpack98

I'm going to be using this very same script on my home router...

Granted, I'm using cable modem, but what i'd do is change the top of the script where it says ETH1=WAN to PPP0=WAN

Simple fix.. And no, i don't think it'll leave the connection wide open.. Script *SHOULD* error out right from the get-go.. I think.

----------

## Gentree

No thanks , I've seen enought of this to treat this with a large degree of sceptisism.

I also have doubts about the wisdom of setting the default policies before the rules and also the suitablilty of those policies.

```
Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

```

It would seem better to set well defined rules then drop the rest with a policy like:

```

   iptables -P INPUT DROP

```

A badly written firewall is worse than no firewall. Unless someone can say I've made a silly mistake here this page should be removed ASAP. 

 :Rolling Eyes: 

----------

## kadeux

The netfilter.org "iptables" project

http://www.netfilter.org/projects/iptables/index.html

 *Quote:*   

> What is iptables?
> 
> iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators.
> 
> Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.
> ...

 

 *Quote:*   

> What can I do with netfilter/iptables?
> 
>     * build internet firewalls based on stateless and stateful packet filtering
> 
>     * use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
> ...

 

You refer to the Home Router Guide:

 *Quote:*   

> This guide will show you how to setup Network Address Translation (NAT) on the router (kernel and iptables), add and configure common services (Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude with more elaborate and fun things that can be done (port forwarding, traffic shaping, proxies/caching, etc...).

 

iptables is mentioned in this guide in the chapter "NAT (a.k.a. IP-masquerading)". The word "firewall" could only found once in the whole text. NAT can add a little more security to your setup, but it's not 'really' a firewall feature, it's more a routing mechanism.

 *Gentree wrote:*   

> A badly written firewall is worse than no firewall.

 

That is totally true, but:   :Sad: 

Sorry to say that, you have *not* read the ("official") firewall guide/howto (if there exist any).

For a firewall setup and other security issues you better read the Gentoo Security Handbook

 :Arrow:  http://www.gentoo.org/doc/en/security/security-handbook.xml?style=printable&full=1

The firewall section is here:

http://www.gentoo.org/doc/en/security/security-handbook.xml?style=printable&full=1#book_part1_chap12

And there are many other good ressources, for instance 

 :Arrow:  http://www.netfilter.org/documentation/index.html

----------

## magic919

I think we should keep this in perspective.  It is a router and advice given was to keep the router itself bare without any services that can be dispensed with.  The default policy for FORWARD chain is drop.  So they get as far as the router but packets do not get passed onto the LAN.  So far as the router is concerned they'd need to log on in some way to hop over and attempt to compromise the LAN machines.  There is an element of risk but to say it is being left wide open is as inaccurate as it is ill-informed.

----------

## Gentree

Many thanks for those links,

Interestingly from your first link: http://www.gentoo.org/doc/en/security/security-handbook.xml?style=printable&full=1#book_part1_chap12

 *Quote:*   

> 
> 
> People often think that a firewall provides the ultimate security, but they are wrong. In most cases a misconfigured firewall gives less security than not having one at all.

   :Laughing: 

further reading is definately needed here, this guide needs to be removed immediately . 

 *Quote:*   

> Sorry to say that, you have *not* read the ("official") firewall guide/howto (if there exist any).

 

Well, I never refered to it as the "firewall" guide. I took it for what it calls itself a home router guide. This is exactly what I am doing and it seemed to fit the bill. I'm sure I'm not alone accepting the title of this page and taking it as reliable since it is part of the official doc. 

I've decided to use shorewall, it looks much more thorough and well documented.

I've always relied on the simple masqerading in rp-pppoe but I need to connect other boxes through my Gentoo now .

There is no sense it being sloppy in this area. I'm wondering how many Gentoo users have been caught out and are merrily connected with an entirely useless "firewall".

Thanks again for you comments, I hope this thread will save others from being caught out.

 :Cool: 

----------

## kadeux

 *Gentree wrote:*   

> Interestingly from your first link: http://www.gentoo.org/doc/en/security/security-handbook.xml?style=printable&full=1#book_part1_chap12
> 
> Quote:
> 
> People often think that a firewall provides the ultimate security, but they are wrong. In most cases a misconfigured firewall gives less security than not having one at all.
> ...

 

As I mentioned before, I share the point of view by the authors of the security handbook.

 *Gentree wrote:*   

>  this guide needs to be removed immediately .

 

.. but this is nonsense.

iptables is a tool for many different aspects of the paket flow through the kernel, including paketfiltering and nat/masquerading. The mentioned document describes mainly the use for nat/masquerading. Both documents are part of the documentation and describing different things. Do you think you are well informed if you are reading only one chapter out of many in a book ?

Will you burn all books about motor engineering because they don't teach you how to drive safe?   :Laughing: 

 *Gentree wrote:*   

> I'm wondering how many Gentoo users have been caught out and are merrily connected with an entirely useless "firewall".
> 
> 

 

Too many of the internet users for sure, regardless which OS / distro they are using. But let me ask you: Do you think you are better protected if you believe in one layer of security? What is your perfect ruleset? Are you protected against web service vulnerabilities, http-tunneling, trojan horses, worms, anything? 

 *Quote:*   

> Thanks again for you comments, I hope this thread will save others from being caught out. 

 

Yes, couldn't be wrong to undermine the believe of so many people that there must be a perfect onestop one-fits-all without-any-drawbacks copy-and-paste solution for 100% security they don't even need to think about. Hope someone will find it someday (because I need this solution, too).  :Wink: 

----------

## Gentree

 *kadeux wrote:*   

> Gentree wrote:	
> 
> this guide needs to be removed immediately .	
> 
> .. but this is nonsense.

 

OK , perhaps I should have said corrected immediately.

I'm not into burning books but if there were a reference book telling ppl to put acid in their gearbox it may be good idea to tear out the page rather than hope they read several books on the subject before servicing the car.

Neither was I suggesting anthing was 100% safe but this "guide" gives advice that is at best ambiguous and could leave you with 0% protection.

I thought there would have been a bit more official reaction, I shall contact the author and voice my concerns now it appears I was not mistaken about the implications.

best regards.   :Cool: 

----------

