Forwarding e-mail.
-------- Forwarded Message --------
Subject: Re: Fwd: Re: [Tails-dev] Reducing attack surface of kernel and
tightening firewall/sysctls
Date: Thu, 11 Feb 2016 12:28:35 +0100
From: Cornelius Diekmann <diekmann@???>
To: Jurre van Bergen <jurre@???>
Hi Jurre,
On 11.02.2016 01:24, Jurre van Bergen wrote:
> Hey,
>
> About the firewall stuff and iptables/ferm we discussed at 32c3. There
> is some movement in this. Could you give us any feedback on what we did?
I looked at the resulting iptables config from the ferm.conf (most
recent version 32e89ef2d7ca2b564990b6758479c47c3713d1e9 in the mentioned
feature branch).
This config will go completely without RELATED. This is really cool.
Summary of the discussion: RELATED handles some ICMP error messages,
which might me necessary.
As discussed, if the kernel handles MTU errors
(net.ipv4.tcp_mtu_probing=1), then everything should be fine. But note
that this was rather intended as a work-around for buggy configurations
which block ICMP. ICMP MTU discovery is also an integral part of IPv6.
A conservative change to the tails config would be to keep an RELATED
rule but limit it to known good ICMP messages.
What I did not see in the discussion is the Destination Unreachable ICMP
error. If a host is unreachable, tails will eventually find out by a
timeout. But with an unreachable message, a user does not have to wait
for a timeout.
Best,
Cornelius
