A Whisperback bug report is suggesting us to limit the user i2psvc to
send UDP through the firewall.
Here is a patch for that. It also adds missing ports 7654 7658 for the
user amnesia to access some i2p services.
Thoughts?
--- ferm.conf 2013-08-26 00:22:06.935360662 +0000
+++ ferm-i2p.conf 2013-08-28 04:33:45.958710788 +0000
@@ -74,11 +74,10 @@
}
# White-list access to I2P
- daddr 127.0.0.1 proto tcp syn mod multiport
destination-ports (4444 4445 6668 7657 7659 7660) {
+ daddr 127.0.0.1 proto tcp syn mod multiport
destination-ports (4444 4445 6668 7654 7657 7658 7659 7660) {
mod owner uid-owner amnesia ACCEPT;
}
-
# White-list access to CUPS
daddr 127.0.0.1 proto tcp syn dport 631 {
mod owner uid-owner amnesia ACCEPT;
@@ -99,6 +98,10 @@
proto udp dport domain ACCEPT;
}
+ outerface ! lo mod owner uid-owner i2psvc {
+ proto udp ACCEPT;
+ }
+
# Local network connections should not go through Tor but
DNS shall be
# rejected.
# (Note that we exclude the VirtualAddrNetwork used for
.onion:s here.)
@@ -112,7 +115,7 @@
mod owner uid-owner debian-tor ACCEPT;
# i2p is allowed to do anything it wants to.
- mod owner uid-owner i2psvc ACCEPT;
+ #mod owner uid-owner i2psvc ACCEPT;
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug
log-uid;