04/18/2012 12:15 PM, intrigeri:
> Hi,
>
> anonym wrote (17 Apr 2012 12:12:24 GMT) :
>> I've implemented this (and changed some necessary application
>> configurations) in feature/firewall_lockdown.
>
> Why allow access to system DNS from the htp user?
> Is this user used for anything else than running wget?
>
> Why allow access to system DNS from the proxy user?
Yeah, you're right, I didn't think far enough in these two cases. Three
cases, actually; for the same reason the root user doesn't need system
DNS access either (assuming its only networking use case is apt-get).
> I think every such exception must be clearly explained by a short
> sentence that we'll put in the design doc. Perhaps write it directly
> in the design doc, in the topic branch the feature lives in?
This will be done, for sure.
> Also, I like being able to manually send arbitrary DNS requests to
> ttdnsd. The current rules in this branch force me to ask pdnsd
> instead, and get the (useful for application use, but incomplete for
> more elaborate uses) result from Tor DNS for the request types
> it supports.
Ok, such an exception should be of no problem. OTOH, I was under the
impression that pdnsd would fallback to ttdnsd for queries unsupported
by Tor's built-in resolver. Actually it seems to work that way (I see
8.8.8.8 listed in vidalia for query types unsupported by Tor's DNSPort).
However, ttdnsd seems to be broken in Tails 0.11-rc1:
* It's terminated (and not restarted) once the Iceweasel window
appears. It seems it cannot handle concurrent DNS requests (?), since
running the following will make it crash:
host -t A boum.org 127.0.0.2 &
host -t AAAA boum.org 127.0.0.2 &
When Iceweasel starts it concurrently does an A and AAAA query for
several of the search engines and the startpage, so it definitely
kills ttdnsd. But it's surprising that the A request is forwarded to
ttdnsd and not handled by Tor's DNSPort (I've verified that ttdnsd
gets everything by inspecting a packet dump). Changing the two
commands above to resolve using 127.0.0.1 results in Tor's DNSPort
handling the A request and ttdnsd the AAAA request as expected.
What's up with Iceweasel?
* Running something like `host -t $TYPE boum.org 127.0.0.2` fails for
all $TYPE resulting in "connection timed out; no server could be
reached", so ttdnsd seems unusable.
>> The iptables rules will certainly look more beautiful with ferm.
>
> Sure. The rules as implemented are not that ugly, though
They would look ugly to you too if you, like me, first wrote the rules
using the group approach :).
> so I suggest
> we finish and merge the firewall lockdown feature first, before
> tackling the move to ferm, that's arguably much lower priority.
Yeah, definitely.
Cheers!