Re: [Tails-dev] firewall rules

Delete this message

Reply to this message
Autor: Jacob Appelbaum
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] firewall rules
Heya,

On 7/24/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> Jacob Appelbaum wrote (24 Jul 2014 21:27:54 GMT) :
>> That sounds like a great reason to find a way to make it easy to
>> dynamically change the firewall for such an application - can ferm
>> easily load different rules on demand?
>
> No idea.


Ok. This seems like a side point but still an important thing to
consider at some point - stuff like i2p, Tor and other firewall
exceptions might be good to disable by default.

>
>> On 7/24/14, intrigeri <intrigeri@???> wrote:
>>> 2. historically (before we used ferm), at some point, we did accept
>>>    incoming and outgoing IPv6 on the loopback interface. When we
>>>    changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED
>>>    rules; no idea why, I would guess that this fix went into
>>>    a point-release, and we wanted to keep the changes minimal.

>>>
>
>> Ok. I can make such a patch.
>
> Yay \o/


I have attached a basic patch to clean up the IPv6 firewall rules. It
is a very simple patch. Still, I would love someone to test it and
ensure that I didn't break everything. :)

>
>>> I'd like this patch (or branch) to have been used quite a bit on
>>> a Tails system first (and the exact scope of the tests documented),
>>> and then we can run the automated test suite on an ISO built from it
>>> before merging.
>>>
>
>> I've been using it for the last ~24hrs without issue.
>
> It would be useful to know what you tested. You can share the sensible
> parts of this information privately with me, if needed. And hide some,
> of course :)


I used Tails as normal - browsing, ssh, xmpp-client, pond, etc.
Nothing ceased to function.

I did remove some other rules as well and thus making it even more
restricted. I did notice the following in my dmesg:

[77244.592308] Dropped outbound packet: IN= OUT=eth0 SRC=10.0.254.23
DST=10.0.254.1 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57641 DF PROTO=UDP
SPT=68 DPT=67 LEN=308 UID=0 GID=0

Strangely, my DHCP client is still functioning. :)

This is why I'd like a second set of eyes...

>
>> Tails should be silent - these rules make Tails behave in a way that
>> deviates from silence. I guess it is a fingerprint on the network, no?
>
> This REJECT rule lives only in the OUTPUT chain, so I believe you're
> mistaken here. Did I miss anything?


You are correct - the REJECT rule is in the OUTPUT chain but I worry
that the other rules may bypass the firewall (eg: they're ACCEPT'ed)
and the TCP/IP stack will respond in some way. I would feel more
comfortable if iptables just dropped it on the floor before anything
else is involved in the affair.

All the best,
Jacob
From 6ee17706cdb2e4abbd4427416e36bf63731eaa20 Mon Sep 17 00:00:00 2001
From: Jacob Appelbaum <jacob@???>
Date: Thu, 24 Jul 2014 01:30:25 +0000
Subject: [PATCH] simplify ipv6 ferm rules

---
 config/chroot_local-includes/etc/ferm/ferm.conf |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)


diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 54ab253..754595d 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -154,9 +154,6 @@ domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
         }


         chain FORWARD {
@@ -165,13 +162,8 @@ domain ip6 {


         chain OUTPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
-
             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
-            REJECT reject-with icmp6-port-unreachable;
         }
     }
 }
-- 
1.7.2.5