On Wed, Jan 04, 2017 at 10:54:53AM -0600, Richard Owlett wrote:
> I'm searching for an introduction to iptables that leads me to answers to
> the questions *I* have. I've got a flock of links I'm working thru.
>
>
> In the meantime I have a few questions.
>
> One of the links led to _Securing Debian Manual_ and in particular
> "Appendix F - Security update protected by a firewall"
> {https://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html}
>
> I follow the description as far as it goes - i.e. access is limited to a
> specific URL.
> QUESTION 1
> What happens if the URL is not "security.debian.org" but my bank.
> I assume that there is no problem with links within the same domain.
That would be incorrect.
Whoever wrote that example did not do a great job of it,
probably because they were rushed. One problem is alluded
to in a footnote: they use a DNS name in a rule, but they
don't mention that it will be resolved precisely once, at the
time that the rule is entered, and will be replaced by the
single IP address that comes back.
What happens if you use a DNS name that doesn't resolve?
What happens if you use a DNS name that resolves to several IPs?
What happens if you use a DNS name that is dynamically resolved
to a new IP by a DNS load balancer?
and so on and so forth. These all cause unexpected situations.
If you want to whitelist services at the IP firewall level, you
need to understand how they are constructed, and be prepared for
things to break when they change.
> There will be a separate install of Debian that I will use for "everything
> else". Can the iptables of that install be set to allow access to any domain
> *EXCEPT* my bank's? The goal being minimization of "operator error".
Not as a domain, but as an IP or set of IPs, certainly. There
is a ! (not) operator, and of course logic can be used to send
packets to ACCEPT, DROP or REJECT.
> Question 3
> Is there a simple minded tool that I could enter the show in the example in
> "Appendix F".
Not simple-minded, no.
-dsr-
