[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual
Appendix F - Security update protected by a firewall


After doing a standard installation a system might still have security vulnerabilities, if so, there might be updates available from Debian for the release. However, if you cannot download the packages for the upgrade on another system (or mirror security.debian.org yourself for local use) you need to connect to the Internet to do a security update.

However, when connecting yourself to the Internet you are exposing yourself. If one of your local services is vulnerable you might be compromised even before the update is finished! You might find this paranoid but, in fact, analysis from the Honeynet Project show than systems can be compromised in less than three days even if the system is not known publicly (i.e. not published in dns records).

When doing an update on a system not protected by an external system (a firewall) you can, however, properly configure your local firewall to only allow the security update itself. See the example below to see how the local firewall capabilities to provide a restricted setup in which only connections to security.debian.org are allowed whileas the rest are logged.

FIXME: add IP address for security.debian.org (since otherwise you need DNS up to work) on /etc/hosts.

FIXME: test this setup to see if it works properly

FIXME: this will only work with http urls since ftp might need the ip_conntrack_ftp module, or use passive mode.

     # iptables -F
     # iptables -L
     Chain INPUT (policy ACCEPT)
     target     prot opt source               destination
     
     Chain FORWARD (policy ACCEPT)
     target     prot opt source               destination
     
     Chain OUTPUT (policy ACCEPT)
     target     prot opt source               destination
     # iptables -P INPUT DROP
     # iptables -P FORWARD DROP
     # iptables -P OUTPUT DROP
     # iptables -A OUTPUT -d security.debian.org -p 80 -j ACCEPT
     # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     # iptables -A INPUT -p icmp -j ACCEPT
     # iptables -A INPUT -j LOG
     # iptables -A OUTPUT -j LOG
     # iptables -L
     Chain INPUT (policy DROP)
     target     prot opt source               destination
     ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
     ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
     LOG        all  --  anywhere             anywhere           LOG level warning
     
     Chain FORWARD (policy DROP)
     target     prot opt source               destination
     
     Chain OUTPUT (policy DROP)
     target     prot opt source               destination
     ACCEPT     80   --  anywhere             security.debian.org
     LOG        all  --  anywhere             anywhere           LOG level warning

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual

2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200
Javier Fernández-Sanguino Peña jfs@computer.org