Hi,
Jacob Appelbaum wrote (24 Jul 2014 22:59:38 GMT) :
> On 7/24/14, intrigeri <intrigeri@???> wrote:
>> Jacob Appelbaum wrote (24 Jul 2014 21:27:54 GMT) :
> I have attached a basic patch to clean up the IPv6 firewall rules. It
> is a very simple patch. Still, I would love someone to test it and
> ensure that I didn't break everything. :)
Thanks!
Created #7668 to keep track of this, applied your patch (but reverted
the removal of the REJECT rule, see below), and pushed it to the
feature/7668-simplify-IPv6-firewall-rules branch. Gonna build an ISO
and run the automated test suite on it. Yay! :)
> You are correct - the REJECT rule is in the OUTPUT chain but I worry
> that the other rules may bypass the firewall (eg: they're ACCEPT'ed)
> and the TCP/IP stack will respond in some way. I would feel more
> comfortable if iptables just dropped it on the floor before anything
> else is involved in the affair.
Frankly, if we can't trust that
1. this:
chain OUTPUT {
policy DROP;
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
REJECT reject-with icmp6-port-unreachable;
}
... does what it says it does;
and 2. that netfilter is hooked in the network stack in a way that it
filters stuff before other things have a chance to talk to the
network... then, oh well, we can't trust the rest of our ferm.conf
much either, and we have more serious problems. Note that we do check
the resulting netfilter rules at release time, as part of our manual
QA process.
For these reasons, as said previously, the extensive testing we should
do to take this change is a big amount of work, and I'm strongly
doubting that it's worth it. If anyone's willing to do it anyway:
1. build an ISO from feature/7668-simplify-IPv6-firewall-rules, with
this additional change applied
2. run the automated test suite on that ISO
3. "run" the manual test suite on that ISO
4. cross fingers in the hope that it didn't break anything not
covered by the above tests.
Cheers,
--
intrigeri
