Re: [Tails-dev] Reducing attack surface of kernel and tighte…
|This message is part of the following thread:|
|the complete thread tree sorted by date|
|Jacob Appelbaum at|
|Michael Rogers at|
I did do some tests using the following testing procedure - setup sniffer - boot the live system (allow for root login) - kill network connection - edit /etc/ferm/ferm.conf to included the iptables tweak: INPUT: [...] mod state state (ESTABLISHED) ACCEPT; OUTPUT: [...] mod state state (NEW ESTABLISHED) ACCEPT; - set the iptables rules to DROP everything - use network manager to reestablish connection (works)
Result: The IP adress is already is configured (DHCP was renewed) and the iptables configuration is still set to DROP. So I am not sure how the DHCP packets could get through. Maybe I have a flaw in my debugging procedure or this is another issue.
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
- /proc/sys/net/ipv4/ip_no_pmtu_disc (path mtu discovery) - /proc/sys/net/ipv4/tcp_mtu_probing (mtu probing)
> mod state state (RELATED ESTABLISHED) ACCEPT;
> mod state state (NEW ESTABLISHED) ACCEPT;