03/09/13 18:53, intrigeri wrote: > Hi, > > [email protected] wrote (31 Aug 2013 14:00:08 GMT) : >> A Whisperback bug report is suggesting us to limit the user i2psvc to >> send UDP through the firewall. > > Looks mostly good (once it has comments), only one question below. > >> Here is a patch for that.
Unfortunately the premise of this patch is wrong; I2P uses *both* UDP and TCP transport over the "clear" Internet [1]. If anything this change will make Tails I2P clients stand out. [1] http://www.i2p2.de/protocols.html (see the "Transport layer" bullet) >> It also adds missing ports 7654 7658 for the >> user amnesia to access some i2p services. > > Once some commit message tells me what problem this solves, and what > "some i2p services" are, then I'm happy to review this part. > The design doc would need an update, likely, but this can probably > wait for a future iteration. For the record, the I2P FAQ has a comprehensive list of all ports (local and external) used by I2P: http://www.i2p2.de/faq.html#ports TCP lo port 7654 is for I2CP [1], a client protocol, that no application shipped in Tails depends on. I don't see any harm in white-listing it, but it'll only be useful for users that actually install some (non-supported) application that uses I2CP, and hence I don't see much of a reason to either. [2] http://www.i2p2.de/i2cp TCP lo port 7658 gives local access to the I2P web server that can be enabled to serve a personal eepsite (i.e. it's akin to a http Tor hidden service), but a placeholder site is shown it's disabled. Note that the I2P webserver is disabled by default in Tails. I suppose this would be handy for users that enable it, but I'm not sure we want to support that, especially since we're in hidden mode. >> + outerface ! lo mod owner uid-owner i2psvc { >> + proto udp ACCEPT; >> + } > > Any specific reason to only restrict on !lo? > In other words, does I2P need to do TCP on the loopback interface? I2P doesn't start any UDP lo listeners so such a restriction looks like a valid firewall lockdown step. I think i2psvc at least needs access to the service wrapper (TCP lo port 32000+, the first free one) for being able to shut down cleanly. --- While the above makes it clear that there's room for some more fine-grained white-listing of which lo ports i2psvc (and debian-tor for that matter) can access, I sadly think there's nothing in this patch really worth merging at this point. Sorry, anonymous contributor. :( Cheers! _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
