On Thu, 24 Jul 2014 21:14:48 +0000 (UTC) intrigeri <[email protected]> wrote:
> Hi, > > (happy to see someone look at these rules in details, and question > part of it!) > > Jacob Appelbaum wrote (24 Jul 2014 01:28:54 GMT) : > > When would we ever have a RELATED or ESTABLISHED ipv6 connection > > when everything is dropped? Would it make sense to have IPv6 disabled by default in the kernel, such as with `ipv6.disabled=1` at the syslinux prompt? Or disabling it with sysctl? If nothing else it might fix those problems seen with mac address spoofing like one can see with VirtualBox and bridged adapters (not tested), such as Jul 30 21:48:28 localhost kernel: [ 450.104114] Dropped outbound packet: IN= OUT=eth0 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0001:ff01:cb07 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 Jul 30 21:48:29 localhost kernel: [ 450.492124] Dropped outbound packet: IN= OUT=eth0 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:29 localhost kernel: [ 451.104170] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:29 localhost kernel: [ 451.104188] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Jul 30 21:48:30 localhost kernel: [ 451.572090] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:33 localhost kernel: [ 455.112102] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Jul 30 21:48:35 localhost dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Jul 30 21:48:37 localhost kernel: [ 459.122031] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 If it might be worthwhile, I can take a stab at it after the I2P things are better taken care of. (Of course the existing firewall rules would have to be modified to make the IPv6 rules conditional upon whether IPv6 is enabled or not; otherwise *none* of the firewall rules get applied if the IPv6 rules fail due to missing IPv6 support in the kernel) I just ask because at this point IPv6 clearly can't work for anyone without modifications to the existing rules, so maybe remove IPv6 until it's ready to be used?
signature.asc
Description: PGP signature
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
