Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls

Fri, 12 Feb 2016 09:21:07 -0800 

intrigeri:
> intrigeri wrote (05 Mar 2015 21:14:50 GMT) :
>> intrigeri wrote (18 Jan 2015 21:45:15 GMT) :
>>> I see this thread has been quiet for a bit more than a month.
> 
>>> Maybe it's time for someone to sum up whatever consensus was reached,
>>> and whatever disagreement may still be remaining?
> 
>>> Jake, maybe?
> 
>> Ping?
> 
> OK, OK, here we go :)
> 
> Thank you all for your contribution!
> 
> I have compiled everything that everybody seemed to agree in this
> thread, into a Git branch (feature/various-firewall-hardening).
> I'll build it and run our automated test suite on it.
> 
> There's one question below, mainly for Oliver-Tobias, but anyone else
> is free to have a look.
> 
> Anyone who participated in this thread, please consider checking my
> summary below. This is _not_ my area of expertise, and it may very
> well be that I got something wrong from your discussion, which is why
> I was asking for someone else to sum it up a year ago.
> Thanks in advance!

It's even less my area of expertise but I remember this discussion
around "RELATED ESTABLISHED" as interesting :) Nonetheless, searching
for "RELATED ESTABLISHED" on Redmine doesn't return anything.

So I'm just wondering whether we have tickets to track this?

> Note that all patches pasted below are entirely untested.
> 
> Regarding the firewall rules, I think the agreement that was reached
> is:
> 
> --- a/config/chroot_local-includes/etc/ferm/ferm.conf
> +++ b/config/chroot_local-includes/etc/ferm/ferm.conf
> @@ -15,7 +15,7 @@ domain ip {
>              policy DROP;
>  
>              # Established incoming connections are accepted.
> -            mod state state (RELATED ESTABLISHED) ACCEPT;
> +            mod state state (ESTABLISHED) ACCEPT;
>  
>              # Traffic on the loopback interface is accepted.
>              interface lo ACCEPT;
> @@ -25,7 +25,7 @@ domain ip {
>              policy DROP;
>  
>              # Established outgoing connections are accepted.
> -            mod state state (RELATED ESTABLISHED) ACCEPT;
> +            mod state state (ESTABLISHED) ACCEPT;
>  
>              # White-list access to local resources
>              outerface lo {
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Reply via email to