Hi,
Jacob Appelbaum wrote (24 Jul 2014 21:27:54 GMT) :
> That sounds like a great reason to find a way to make it easy to
> dynamically change the firewall for such an application - can ferm
> easily load different rules on demand?
No idea.
> On 7/24/14, intrigeri <intrigeri@???> wrote:
>> 2. historically (before we used ferm), at some point, we did accept
>> incoming and outgoing IPv6 on the loopback interface. When we
>> changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED
>> rules; no idea why, I would guess that this fix went into
>> a point-release, and we wanted to keep the changes minimal.
>>
> Ok. I can make such a patch.
Yay \o/
>> I'd like this patch (or branch) to have been used quite a bit on
>> a Tails system first (and the exact scope of the tests documented),
>> and then we can run the automated test suite on an ISO built from it
>> before merging.
>>
> I've been using it for the last ~24hrs without issue.
It would be useful to know what you tested. You can share the sensible
parts of this information privately with me, if needed. And hide some,
of course :)
> Tails should be silent - these rules make Tails behave in a way that
> deviates from silence. I guess it is a fingerprint on the network, no?
This REJECT rule lives only in the OUTPUT chain, so I believe you're
mistaken here. Did I miss anything?
Cheers,
--
intrigeri