Heya, On 7/24/14, intrigeri <[email protected]> wrote: > Hi, > > Jacob Appelbaum wrote (24 Jul 2014 21:27:54 GMT) : >> That sounds like a great reason to find a way to make it easy to >> dynamically change the firewall for such an application - can ferm >> easily load different rules on demand? > > No idea.
Ok. This seems like a side point but still an important thing to consider at some point - stuff like i2p, Tor and other firewall exceptions might be good to disable by default. > >> On 7/24/14, intrigeri <[email protected]> wrote: >>> 2. historically (before we used ferm), at some point, we did accept >>> incoming and outgoing IPv6 on the loopback interface. When we >>> changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED >>> rules; no idea why, I would guess that this fix went into >>> a point-release, and we wanted to keep the changes minimal. >>> > >> Ok. I can make such a patch. > > Yay \o/ I have attached a basic patch to clean up the IPv6 firewall rules. It is a very simple patch. Still, I would love someone to test it and ensure that I didn't break everything. :) > >>> I'd like this patch (or branch) to have been used quite a bit on >>> a Tails system first (and the exact scope of the tests documented), >>> and then we can run the automated test suite on an ISO built from it >>> before merging. >>> > >> I've been using it for the last ~24hrs without issue. > > It would be useful to know what you tested. You can share the sensible > parts of this information privately with me, if needed. And hide some, > of course :) I used Tails as normal - browsing, ssh, xmpp-client, pond, etc. Nothing ceased to function. I did remove some other rules as well and thus making it even more restricted. I did notice the following in my dmesg: [77244.592308] Dropped outbound packet: IN= OUT=eth0 SRC=10.0.254.23 DST=10.0.254.1 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57641 DF PROTO=UDP SPT=68 DPT=67 LEN=308 UID=0 GID=0 Strangely, my DHCP client is still functioning. :) This is why I'd like a second set of eyes... > >> Tails should be silent - these rules make Tails behave in a way that >> deviates from silence. I guess it is a fingerprint on the network, no? > > This REJECT rule lives only in the OUTPUT chain, so I believe you're > mistaken here. Did I miss anything? You are correct - the REJECT rule is in the OUTPUT chain but I worry that the other rules may bypass the firewall (eg: they're ACCEPT'ed) and the TCP/IP stack will respond in some way. I would feel more comfortable if iptables just dropped it on the floor before anything else is involved in the affair. All the best, Jacob
From 6ee17706cdb2e4abbd4427416e36bf63731eaa20 Mon Sep 17 00:00:00 2001 From: Jacob Appelbaum <[email protected]> Date: Thu, 24 Jul 2014 01:30:25 +0000 Subject: [PATCH] simplify ipv6 ferm rules --- config/chroot_local-includes/etc/ferm/ferm.conf | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf index 54ab253..754595d 100644 --- a/config/chroot_local-includes/etc/ferm/ferm.conf +++ b/config/chroot_local-includes/etc/ferm/ferm.conf @@ -154,9 +154,6 @@ domain ip6 { table filter { chain INPUT { policy DROP; - - # Established connections are accepted. - mod state state (RELATED ESTABLISHED) ACCEPT; } chain FORWARD { @@ -165,13 +162,8 @@ domain ip6 { chain OUTPUT { policy DROP; - - # Established connections are accepted. - mod state state (RELATED ESTABLISHED) ACCEPT; - # Everything else is logged and dropped. LOG log-prefix "Dropped outbound packet: " log-level debug log-uid; - REJECT reject-with icmp6-port-unreachable; } } } -- 1.7.2.5
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
