[Tails-dev] firewall rules

[Jacob Appelbaum]

Hi,

I've been looking at ferm.conf and I have some questions. It appears
that for ipv6, we have rules that state the following:

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;

            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;
        }

        chain FORWARD {
            policy DROP;
        }

        chain OUTPUT {
            policy DROP;

            # Established connections are accepted.
            mod state state (RELATED ESTABLISHED) ACCEPT;

            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}

When would we ever have a RELATED or ESTABLISHED ipv6 connection when
everything is dropped? Furthermore, do we really want to REJECT with
reject-with icmp6-port-unreachable? Why not simply drop it on the
floor silently?

I imagine that this policy would be helpful to simplify things and
ensure that they fail closed:

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
        }

        chain FORWARD {
            policy DROP;
        }

        chain OUTPUT {
            policy DROP;
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
        }
    }
}

Or as a patch:

diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf
b/config/chroot_local-includes/etc/ferm/ferm.conf
index 56bb20a..37939b8 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -145,9 +145,6 @@ domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
         }

         chain FORWARD {
@@ -156,13 +153,8 @@ domain ip6 {

         chain OUTPUT {
             policy DROP;
-
-            # Established connections are accepted.
-            mod state state (RELATED ESTABLISHED) ACCEPT;
-
             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
-            REJECT reject-with icmp6-port-unreachable;
         }
     }
 }

Obviously, if a Tails user wants to use an IPv6 bridge or only has
IPv6, it wouldn't work... Does it work at the moment for anyone?

All the best,
Jacob
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.