Re: [Tails-dev] firewall rules

This message is part of the following thread:
Mthe complete thread tree sorted by date
MJacob Appelbaum at <-
MJacob Appelbaum at ->
Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] firewall rules
Hi,

(happy to see someone look at these rules in details, and question
part of it!)

Jacob Appelbaum wrote (24 Jul 2014 01:28:54 GMT) :
> When would we ever have a RELATED or ESTABLISHED ipv6 connection when
> everything is dropped?

I think the only reasons to have these rules are:

1. it makes it *slightly* easier to develop and test stuff based on
OnionCat. Arguably, this hasn't happened recently, so it's a bit
weak reason.
2. historically (before we used ferm), at some point, we did accept
incoming and outgoing IPv6 on the loopback interface. When we
changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED
rules; no idea why, I would guess that this fix went into
a point-release, and we wanted to keep the changes minimal.

I personally would be glad to apply a patch that changes this.

I'd like this patch (or branch) to have been used quite a bit on
a Tails system first (and the exact scope of the tests documented),
and then we can run the automated test suite on an ISO built from it
before merging.

(In other words: the proposed change seems very unrisky to me, so
*this* time, I don't feel the need to insist on having a branch that's
been tested by building an ISO from it, and testing the result :)

> Furthermore, do we really want to REJECT with
> reject-with icmp6-port-unreachable? Why not simply drop it on the
> floor silently?

It was copied straight from the IPv4 firewall configuration in 2010.
It might help some badly torified and/or leaky applications give up
IPv6 earlier => possibly some performance (and then, usability)
improvements. Possibly minor, possibly important, can't know without
extensive testing, I would say.

TBH, I see little use in going through this process, and risking to
introduce a surprising regression. What are the drawbacks with keeping
the current REJECT rule, exactly?

> Obviously, if a Tails user wants to use an IPv6 bridge or only has
> IPv6, it wouldn't work... Does it work at the moment for anyone?

I'm not aware of anyone having worked on this yet. I'd be delighted to
see some test results and early patches, to get the thing rolling :)

Cheers,
--
intrigeri

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] How to check the removable flag of a USB stick?Re: [Tails-dev] firewall rules->
lists.autistici.org administrated by postmasterLurker (version 2.3)