intrigeri:
> intrigeri wrote (05 Mar 2015 21:14:50 GMT) :
>> intrigeri wrote (18 Jan 2015 21:45:15 GMT) :
>>> I see this thread has been quiet for a bit more than a month.
>
>>> Maybe it's time for someone to sum up whatever consensus was reached,
>>> and whatever disagreement may still be remaining?
>
>>> Jake, maybe?
>
>> Ping?
>
> OK, OK, here we go :)
>
> Thank you all for your contribution!
>
> I have compiled everything that everybody seemed to agree in this
> thread, into a Git branch (feature/various-firewall-hardening).
> I'll build it and run our automated test suite on it.
>
> There's one question below, mainly for Oliver-Tobias, but anyone else
> is free to have a look.
>
> Anyone who participated in this thread, please consider checking my
> summary below. This is _not_ my area of expertise, and it may very
> well be that I got something wrong from your discussion, which is why
> I was asking for someone else to sum it up a year ago.
> Thanks in advance!
It's even less my area of expertise but I remember this discussion
around "RELATED ESTABLISHED" as interesting :) Nonetheless, searching
for "RELATED ESTABLISHED" on Redmine doesn't return anything.
So I'm just wondering whether we have tickets to track this?
> Note that all patches pasted below are entirely untested.
>
> Regarding the firewall rules, I think the agreement that was reached
> is:
>
> --- a/config/chroot_local-includes/etc/ferm/ferm.conf
> +++ b/config/chroot_local-includes/etc/ferm/ferm.conf
> @@ -15,7 +15,7 @@ domain ip {
> policy DROP;
>
> # Established incoming connections are accepted.
> - mod state state (RELATED ESTABLISHED) ACCEPT;
> + mod state state (ESTABLISHED) ACCEPT;
>
> # Traffic on the loopback interface is accepted.
> interface lo ACCEPT;
> @@ -25,7 +25,7 @@ domain ip {
> policy DROP;
>
> # Established outgoing connections are accepted.
> - mod state state (RELATED ESTABLISHED) ACCEPT;
> + mod state state (ESTABLISHED) ACCEPT;
>
> # White-list access to local resources
> outerface lo {
