著者: Oliver-Tobias Ripka 日付: To: The Tails public development discussion list 題目: Re: [Tails-dev] Reducing attack surface of kernel and tightening
firewall/sysctls
According to anonym on Thu, Dec 04 2014:
> FWIW I experienced no issues during my tests with *only* ESTABLISHED in
> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
> essential for the basic usage I tested. And of course the above
> "exploits" didn't work due to the absence of NEW.
You're right it work with ESTABLISHED only. This is due to whitelisted
rule for the debian-tor user that may send any kind of packet.
We might consider harden this rule to prevent leaks of other protocols
by the debian-tor user; basically restrict it to only allow TCP SYN
packets. The rest would be handled by the stateful rule.