[Tails-dev] firewall rules

Nachricht löschen

Nachricht beantworten
Autor: Jacob Appelbaum
Datum:  
To: The Tails public development discussion list
Betreff: [Tails-dev] firewall rules
Hi,

I've been looking at ferm.conf and I have some questions. It appears
that for ipv6, we have rules that state the following:

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;


            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;
        }


        chain FORWARD {
            policy DROP;
        }


        chain OUTPUT {
            policy DROP;


            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;


            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}


When would we ever have a RELATED or ESTABLISHED ipv6 connection when
everything is dropped? Furthermore, do we really want to REJECT with
reject-with icmp6-port-unreachable? Why not simply drop it on the
floor silently?

I imagine that this policy would be helpful to simplify things and
ensure that they fail closed:

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
        }


        chain FORWARD {
            policy DROP;
        }


        chain OUTPUT {
            policy DROP;
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
        }
    }
}


Or as a patch:

diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf
b/config/chroot_local-includes/etc/ferm/ferm.conf
index 56bb20a..37939b8 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -145,9 +145,6 @@ domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
         }


         chain FORWARD {
@@ -156,13 +153,8 @@ domain ip6 {


         chain OUTPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
-
             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
-            REJECT reject-with icmp6-port-unreachable;
         }
     }
 }


Obviously, if a Tails user wants to use an IPv6 bridge or only has
IPv6, it wouldn't work... Does it work at the moment for anyone?

All the best,
Jacob