Re: [Tails-dev] Disabling or changing Firewall settings in T…

Delete this message

Reply to this message
Autore: gagz
Data:  
To: tails-dev
Oggetto: Re: [Tails-dev] Disabling or changing Firewall settings in Tails?
hello hello,

first i have to say i'm not a Tails member, i'm just a very long time
user and trainer for activists, and i've contributed very little in the
past 10 years.

Let me reply in your mail:


> […]
> Specifically, I would like to know if disabling the firewall or making
> changes to the IP tables is a permanent action or if these settings will
> reset upon rebooting the system.


Disabling the firewall definitely has huge drawbacks if there are other
activities going on in the same usb stick, or if it has a persistent
storage.
But it should come back as normal after a reboot.
If your threat model brings a risk of a remote hacking of your USB
stick, then it might not be enough to reboot.


> I am considering downloading the Monero
> blockchain over clearnet (as I'm sure it would take days over Tor) and
> want to ensure that I understand the implications of modifying these
> settings. I don't want to do this if it is permanent as I was looking
> for temporally doing so.


For your usecase, i would rather use Debian Live and store the data in
an encrypted USB stick (see
https://tails.net/doc/encryption_and_privacy/encrypted_volume), as you
don't seem to need the specific thing Tails offers: enforcing the use of
the Tor network.
Tails also tries to leave no trace behind, so depending on your threat
model, you may want to keep it with Tails, but a Debian Live would just
go through the clearnet and still allow you to follow the link above to
create a LUKS encrypted storage on a USB stick.

If you want to go the Tails way, you may use a fresh Tails with no
persistence, disable the firewall, do your download, save it on another
(encrypted) USB stick and reinstall Tails.

Disabling the firewall brings several risks, at least:
- Tor would not be enforced anymore during the session
- Incomming connections would not be blocked
- Network isolation between apps will no longer work

I'm sure there are other that just don't come to mind right now.


> Additionally, I would appreciate your advice on whether it is safe to
> disable or change firewall rules with administrative privileges for this
> purpose, or if there are any potential risks involved.


You will *need* to set an admin password (
https://tails.net/doc/first_steps/welcome_screen/administration_password/ )
to be able to disable the firewall, and quite some knowledge in linux
network management (at least iptables, but probably also network namespaces)


> Thank you for your assistance, and I look forward to your response.


I hope I could help a little :)
gagz