Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Author: anonym
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
On 03/12/14 18:22, Jacob Appelbaum wrote:
> I propose that we change the rule to be:
>             mod state state (NEW ESTABLISHED) ACCEPT;

> The reason is pretty simple - RELATED makes the kernel do a lot of
> extra lifting that is not needed by using the conntrack kernel code:

While I think we should investigate whether RELATED can be dropped for
the reasons you outline but adding NEW seems like a mistake. In fact, I
see no discussion why it should be there at all, so please clarify its

>From iptables(8):

    NEW    meaning that the packet has started a new connection, or
           otherwise associated with a connection which has not seen
           packets in both directions

That sounds pretty bad. In my tests of your suggested rule, Tails' Tor
enforcement [1] is broken:

    unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY
    curl | grep "Your IP address"

and so is the local services whitelist [2]:

    nc -l -p 1234 &
    echo "if you receive this, then you are pwned" | nc 1234

Or am I missing something obvious here?

FWIW I experienced no issues during my tests with *only* ESTABLISHED in
both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
essential for the basic usage I tested. And of course the above
"exploits" didn't work due to the absence of NEW.


[1] *