Hi, Jacob Appelbaum wrote (14 Feb 2016 13:46:45 GMT) : > I was specifically replying to this bit:
>>> A conservative change to the tails config would be to keep an RELATED >>> rule but limit it to known good ICMP messages. Thanks for explaining. Now I'm lost and still don't understand if your comment about "just drop all packets on the floor" relates to the option I explicitly said I didn't pick (I guess not, since it would not help solve the problem at hand, at least not in a way I understand, but OTOH you tell me you were _specifically_ replying to it), or to the option that I did pick (that included a discussion about effects on LAN use cases, that I suspect are much more likely to trigger such a reaction from your part). /me confused :/ I'm sick of seeing such great, long threads like this one, start with great ideas and bursts of creativity, and never reach a practically useful conclusion. I want _this_ very thread to reach a conclusion in the form of a security improvement we can ship to Tails users. This is what I'm trying to achieve here. I'm sure that we can agree on this, and I bet that you and I share some of the feelings behind it. I want the security improvement discussed in this thread to happen ASAP, so pragmatically, I can't allow myself to block on another, harder decision, before we move forward here. This is why we're not going to make a decision _in this thread_ about the security/usability cursor default position for firewalling of connections to RFC1918 addresses. We have another thread for that. I'm unhappy about various aspects of that other thread, and I know you are too, but it's still our best chance of reaching a useful conclusion on that matter. Back to the topic this thread is about. My preferred option for the problems discussed in this very thread is essentially the one you proposed initially, just fixed/refined. If we want to make it happen we need to evaluate/fix the remaining blockers of this proposal. I would love it if it had already happened a year ago, and then things would be simple and we could "just" do $this or $that, but it did not happen back then, so here we are. I've listed a few potential blockers that are caused by blocking Destination Unreachable ICMP error messages. One of those is about LAN usecases. Dropping that specific one from the list of blockers won't solve the others. So let's not argue about that specific one, it would only lock each of us into predefined positions and roles, and will prevent us from moving forward on the broader topic this thread is about. So, I humbly suggest that if you personally want to put some more time into this thread again at this point, you ignore the LAN blocker as far as this thread is concerned (I'm happy to deal with it myself), and you instead focus on the other blockers of the proposed solution. I believe this will be the most useful contribution you can make to help us work together and turn this thread, that you started a while ago, into an actual improvement we can ship to Tails users. Thank you! Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
