Heya,
On 7/24/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> Jacob Appelbaum wrote (24 Jul 2014 21:27:54 GMT) :
>> That sounds like a great reason to find a way to make it easy to
>> dynamically change the firewall for such an application - can ferm
>> easily load different rules on demand?
>
> No idea.
Ok. This seems like a side point but still an important thing to
consider at some point - stuff like i2p, Tor and other firewall
exceptions might be good to disable by default.
>
>> On 7/24/14, intrigeri <intrigeri@???> wrote:
>>> 2. historically (before we used ferm), at some point, we did accept
>>> incoming and outgoing IPv6 on the loopback interface. When we
>>> changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED
>>> rules; no idea why, I would guess that this fix went into
>>> a point-release, and we wanted to keep the changes minimal.
>>>
>
>> Ok. I can make such a patch.
>
> Yay \o/
I have attached a basic patch to clean up the IPv6 firewall rules. It
is a very simple patch. Still, I would love someone to test it and
ensure that I didn't break everything. :)
>
>>> I'd like this patch (or branch) to have been used quite a bit on
>>> a Tails system first (and the exact scope of the tests documented),
>>> and then we can run the automated test suite on an ISO built from it
>>> before merging.
>>>
>
>> I've been using it for the last ~24hrs without issue.
>
> It would be useful to know what you tested. You can share the sensible
> parts of this information privately with me, if needed. And hide some,
> of course :)
I used Tails as normal - browsing, ssh, xmpp-client, pond, etc.
Nothing ceased to function.
I did remove some other rules as well and thus making it even more
restricted. I did notice the following in my dmesg:
[77244.592308] Dropped outbound packet: IN= OUT=eth0 SRC=10.0.254.23
DST=10.0.254.1 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57641 DF PROTO=UDP
SPT=68 DPT=67 LEN=308 UID=0 GID=0
Strangely, my DHCP client is still functioning. :)
This is why I'd like a second set of eyes...
>
>> Tails should be silent - these rules make Tails behave in a way that
>> deviates from silence. I guess it is a fingerprint on the network, no?
>
> This REJECT rule lives only in the OUTPUT chain, so I believe you're
> mistaken here. Did I miss anything?
You are correct - the REJECT rule is in the OUTPUT chain but I worry
that the other rules may bypass the firewall (eg: they're ACCEPT'ed)
and the TCP/IP stack will respond in some way. I would feel more
comfortable if iptables just dropped it on the floor before anything
else is involved in the affair.
All the best,
Jacob
From 6ee17706cdb2e4abbd4427416e36bf63731eaa20 Mon Sep 17 00:00:00 2001
From: Jacob Appelbaum <jacob@???>
Date: Thu, 24 Jul 2014 01:30:25 +0000
Subject: [PATCH] simplify ipv6 ferm rules
---
config/chroot_local-includes/etc/ferm/ferm.conf | 8 --------
1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 54ab253..754595d 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -154,9 +154,6 @@ domain ip6 {
table filter {
chain INPUT {
policy DROP;
-
- # Established connections are accepted.
- mod state state (RELATED ESTABLISHED) ACCEPT;
}
chain FORWARD {
@@ -165,13 +162,8 @@ domain ip6 {
chain OUTPUT {
policy DROP;
-
- # Established connections are accepted.
- mod state state (RELATED ESTABLISHED) ACCEPT;
-
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
- REJECT reject-with icmp6-port-unreachable;
}
}
}
--
1.7.2.5
