Re: [Tails-dev] Reducing attack surface of kernel and tighte…

This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MJacob Appelbaum at <-
MMOliver-Tobias Ripka at ->
Delete this message

Reply to this message
Author: Oliver-Tobias Ripka
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
According to anonym on Thu, Dec 04 2014:

> FWIW I experienced no issues during my tests with *only* ESTABLISHED in
> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
> essential for the basic usage I tested. And of course the above
> "exploits" didn't work due to the absence of NEW.

You're right it work with ESTABLISHED only. This is due to whitelisted
rule for the debian-tor user that may send any kind of packet.

We might consider harden this rule to prevent leaks of other protocols
by the debian-tor user; basically restrict it to only allow TCP SYN
packets. The rest would be handled by the stateful rule.

Cheers,

Olli

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] [review'n'merge:1.2.1] feature/7740-remove-truecryptRe: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls->
lists.autistici.org administrated by postmasterLurker (version 2.3)