Hi,
anonym wrote (17 Apr 2012 12:12:24 GMT) :
> I've implemented this (and changed some necessary application
> configurations) in feature/firewall_lockdown.
Why allow access to system DNS from the htp user?
Is this user used for anything else than running wget?
Why allow access to system DNS from the proxy user?
I think every such exception must be clearly explained by a short
sentence that we'll put in the design doc. Perhaps write it directly
in the design doc, in the topic branch the feature lives in?
Also, I like being able to manually send arbitrary DNS requests to
ttdnsd. The current rules in this branch force me to ask pdnsd
instead, and get the (useful for application use, but incomplete for
more elaborate uses) result from Tor DNS for the request types
it supports.
> The iptables rules will certainly look more beautiful with ferm.
Sure. The rules as implemented are not that ugly, though, so I suggest
we finish and merge the firewall lockdown feature first, before
tackling the move to ferm, that's arguably much lower priority.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
