On 12/4/14, Oliver-Tobias Ripka <o...@bockcay.de> wrote: > According to anonym on Thu, Dec 04 2014: > >> FWIW I experienced no issues during my tests with *only* ESTABLISHED in >> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems >> essential for the basic usage I tested. And of course the above >> "exploits" didn't work due to the absence of NEW. > > You're right it work with ESTABLISHED only. This is due to whitelisted > rule for the debian-tor user that may send any kind of packet.
That is what I'd expect, yes. We should also tighten that user down as well. What do you think for the first iteration? > > We might consider harden this rule to prevent leaks of other protocols > by the debian-tor user; basically restrict it to only allow TCP SYN > packets. The rest would be handled by the stateful rule. > Yes, I think ESTABLISHED makes sense and to have different users per pluggable transport - for example. All the best, Jacob _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
