[Tails-dev] Limiting i2psvc to UDP through firewall

Borrar esta mensaxe

Responder a esta mensaxe
Autor: sajolida
Data:  
Para: The Tails public development discussion list
Asunto: [Tails-dev] Limiting i2psvc to UDP through firewall
A Whisperback bug report is suggesting us to limit the user i2psvc to
send UDP through the firewall.

Here is a patch for that. It also adds missing ports 7654 7658 for the
user amnesia to access some i2p services.

Thoughts?

--- ferm.conf    2013-08-26 00:22:06.935360662 +0000
+++ ferm-i2p.conf    2013-08-28 04:33:45.958710788 +0000
@@ -74,11 +74,10 @@
                 }


                 # White-list access to I2P
-                daddr 127.0.0.1 proto tcp syn mod multiport
destination-ports (4444 4445 6668 7657 7659 7660) {
+                daddr 127.0.0.1 proto tcp syn mod multiport
destination-ports (4444 4445 6668 7654 7657 7658 7659 7660) {
                     mod owner uid-owner amnesia ACCEPT;
                 }


-
                 # White-list access to CUPS
                 daddr 127.0.0.1 proto tcp syn dport 631 {
                     mod owner uid-owner amnesia ACCEPT;
@@ -99,6 +98,10 @@
                 proto udp dport domain ACCEPT;
             }


+            outerface ! lo mod owner uid-owner i2psvc {
+                proto udp ACCEPT;
+            }
+
             # Local network connections should not go through Tor but
DNS shall be
             # rejected.
             # (Note that we exclude the VirtualAddrNetwork used for
.onion:s here.)
@@ -112,7 +115,7 @@
             mod owner uid-owner debian-tor ACCEPT;


             # i2p is allowed to do anything it wants to.
-            mod owner uid-owner i2psvc ACCEPT;
+            #mod owner uid-owner i2psvc ACCEPT;


             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug
log-uid;