Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Nachricht löschen

Nachricht beantworten
Autor: Oliver-Tobias Ripka
Datum:  
To: The Tails public development discussion list
Betreff: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
According to anonym on Thu, Dec 04 2014:

> FWIW I experienced no issues during my tests with *only* ESTABLISHED in
> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
> essential for the basic usage I tested. And of course the above
> "exploits" didn't work due to the absence of NEW.


You're right it work with ESTABLISHED only. This is due to whitelisted
rule for the debian-tor user that may send any kind of packet.

We might consider harden this rule to prevent leaks of other protocols
by the debian-tor user; basically restrict it to only allow TCP SYN
packets. The rest would be handled by the stateful rule.

Cheers,

Olli