[Tails-dev] firewall rules

Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
M 
Mintrigeri am ->
Nachricht löschen

Nachricht beantworten
Autor: Jacob Appelbaum
Datum:  
To: The Tails public development discussion list
Betreff: [Tails-dev] firewall rules
Hi,

I've been looking at ferm.conf and I have some questions. It appears
that for ipv6, we have rules that state the following: 

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;


            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;
        }


        chain FORWARD {
            policy DROP;
        }


        chain OUTPUT {
            policy DROP;


            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;


            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}


When would we ever have a RELATED or ESTABLISHED ipv6 connection when
everything is dropped? Furthermore, do we really want to REJECT with
reject-with icmp6-port-unreachable? Why not simply drop it on the
floor silently?

I imagine that this policy would be helpful to simplify things and
ensure that they fail closed: 

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
        }


        chain FORWARD {
            policy DROP;
        }


        chain OUTPUT {
            policy DROP;
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
        }
    }
}


Or as a patch: 

diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf
b/config/chroot_local-includes/etc/ferm/ferm.conf
index 56bb20a..37939b8 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -145,9 +145,6 @@ domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
         }


         chain FORWARD {
@@ -156,13 +153,8 @@ domain ip6 {


         chain OUTPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
-
             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
-            REJECT reject-with icmp6-port-unreachable;
         }
     }
 }


Obviously, if a Tails user wants to use an IPv6 bridge or only has
IPv6, it wouldn't work... Does it work at the moment for anyone?

All the best,
Jacob

Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
tails-dev
Mailing-List-Info | Nachrichten um die Zeit		<-[Tails-dev] vpwnedRe: [Tails-dev] vpwned->
lists.autistici.org administriert von postmasterLurker (Version 2.3)