On 7/24/14, intrigeri <[email protected]> wrote: > Hi, > > (happy to see someone look at these rules in details, and question > part of it!) >
Thank you for the positive feedback! > Jacob Appelbaum wrote (24 Jul 2014 01:28:54 GMT) : >> When would we ever have a RELATED or ESTABLISHED ipv6 connection when >> everything is dropped? > > I think the only reasons to have these rules are: > > 1. it makes it *slightly* easier to develop and test stuff based on > OnionCat. Arguably, this hasn't happened recently, so it's a bit > weak reason. That sounds like a great reason to find a way to make it easy to dynamically change the firewall for such an application - can ferm easily load different rules on demand? > 2. historically (before we used ferm), at some point, we did accept > incoming and outgoing IPv6 on the loopback interface. When we > changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED > rules; no idea why, I would guess that this fix went into > a point-release, and we wanted to keep the changes minimal. > Ok. I can make such a patch. > I personally would be glad to apply a patch that changes this. Sounds good. > > I'd like this patch (or branch) to have been used quite a bit on > a Tails system first (and the exact scope of the tests documented), > and then we can run the automated test suite on an ISO built from it > before merging. > I've been using it for the last ~24hrs without issue. > (In other words: the proposed change seems very unrisky to me, so > *this* time, I don't feel the need to insist on having a branch that's > been tested by building an ISO from it, and testing the result :) > >> Furthermore, do we really want to REJECT with >> reject-with icmp6-port-unreachable? Why not simply drop it on the >> floor silently? > > It was copied straight from the IPv4 firewall configuration in 2010. > It might help some badly torified and/or leaky applications give up > IPv6 earlier => possibly some performance (and then, usability) > improvements. Possibly minor, possibly important, can't know without > extensive testing, I would say. > Ok. That sounds like a reason to just DROP the packet on the floor. > TBH, I see little use in going through this process, and risking to > introduce a surprising regression. What are the drawbacks with keeping > the current REJECT rule, exactly? > Tails should be silent - these rules make Tails behave in a way that deviates from silence. I guess it is a fingerprint on the network, no? >> Obviously, if a Tails user wants to use an IPv6 bridge or only has >> IPv6, it wouldn't work... Does it work at the moment for anyone? > > I'm not aware of anyone having worked on this yet. I'd be delighted to > see some test results and early patches, to get the thing rolling :) > That sounds like we need not worry about ipv6 for a while with Tails. All the best, Jacob _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
