Re: [Tails-dev] Network policy exceptions

Delete this message

Reply to this message
Autor: intrigeri
Data:  
A: The Tails public development discussion list
Assumpte: Re: [Tails-dev] Network policy exceptions
Hi William,

William Waites wrote (02 Jun 2014 21:11:04 GMT) :
> Hello! I've starting using Tails since the 1.0 release and have a
> little bit of feedback.


Thanks for sharing!

TBH, I was not aware that there was an allocated block for
carrier-grade NAT. Of course, when thinking of it, it perfectly
makes sense.

> In other words makes an exception (-j lan) immediately after the entry
> for 192.168.0.0/16. This doesn't seem to be exceptionally robust, but it
> works. I just run it as


> sudo poke 100.64.0.0/10


> Is there a better way to do this?


There's no facility in Tails to pierce the firewall, and it seems to
me that you've done it quite properly, so... I guess the answer is no.

> Perhaps it would be useful to automate this? When an interface receives
> an IP address, to construct the firewall rules and ssh config from that
> rather than having the hard-coded list?


This design seems elegant at first glance, but:

1. If I'm assigned a public IP address by my ISP via PPPoE, I probably
want to consider everything that's in the same subnet as me (but
the router) to be part of the Internet, and thus connections to
there need to go through Tor, even if I might have a more direct
route to it. I don't want to trust whatever routes the ISP is
sending me.

2. If I'm assigned a carrier-grade NAT IP address, unless I'm trusting
the ISP a *lot*, I don't want Tails to connect in the clear to
other hosts that are on the same subnet as me. And I can't do it
with Tor either, because these hosts are not directly reachable on
the Internet.

I think I understand your usecase, and I'm sorry that Tails'
simplistic differentiation between what's local (RFC1918) and what's
not does not address your needs.

> Would it make sense to have a knob in the advanced panel of the greeter
> to enter networks that are to be exceptions? Maybe not since anyone who
> wanted such a thing should be able to do it from the command line.


TBH, it's the first time that I remember, in five years, that someone
expresses this need, so I guess it doesn't deserve to make the Greeter
UI more complicated.

OTOH, it's been a longstanding item on our todo list to revisit the
whitelisting of RFC1918 addresses (and possibly, removing it
altogether by default), to when someone tackles this task, and add
some bits of UI to optionally enable it back in the Greeter, it would
be great if it was done in a way that's generic enough to suit
your needs.

> All in all, quite impressed with Tails! Wonderful work!


Many thanks for the kind words :)

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc