Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Autor: anonym
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
On 03/12/14 18:22, Jacob Appelbaum wrote:
> I propose that we change the rule to be:
>
>             mod state state (NEW ESTABLISHED) ACCEPT;

>
> The reason is pretty simple - RELATED makes the kernel do a lot of
> extra lifting that is not needed by using the conntrack kernel code:


While I think we should investigate whether RELATED can be dropped for
the reasons you outline but adding NEW seems like a mistake. In fact, I
see no discussion why it should be there at all, so please clarify its
purpose.

>From iptables(8):


    NEW    meaning that the packet has started a new connection, or
           otherwise associated with a connection which has not seen
           packets in both directions


That sounds pretty bad. In my tests of your suggested rule, Tails' Tor
enforcement [1] is broken:

    unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY
    curl https://check.torproject.org | grep "Your IP address"


and so is the local services whitelist [2]:

    nc -l -p 1234 &
    echo "if you receive this, then you are pwned" | nc 127.0.0.1 1234


Or am I missing something obvious here?

FWIW I experienced no issues during my tests with *only* ESTABLISHED in
both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
essential for the basic usage I tested. And of course the above
"exploits" didn't work due to the absence of NEW.

Cheers!

[1] * https://tails.boum.org/contribute/design/#index18h3
    * https://tails.boum.org/contribute/design/Tor_enforcement/
[2] https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/