Hi,
This branch locks down the firewall in such a way that only users that
need access to any given loopback service (e.g. Tor, polipo, DNS) has
access to it. For instance, the amnesia user has access to most things
but the proxy user (running polipo) only has access to Tor's SOCKSPort.
With this whitelist/principle of least privilege approach we hope to
block potential leaks and deanonymization attacks by compromised
processes, and also to force us to be more conscious about new loopback
services and users that are added. [1]
[1]
https://tails.boum.org/todo/firewall_lockdown
This branch is currently merged into the experimental branch. What needs
testing is basically all networked application. Especially keep an eye
out for things that doesn't work, but it may also be good to
occasionally check dmesg for any dropped packages and try to figure out
which application sent it, and why (tcpdump or iptables' ULOG are your
friends for this).
Since this has been in experimental for over two weeks I'm curious about
any feedback you might have.
Cheers!
