intrigeri: > intrigeri wrote (05 Mar 2015 21:14:50 GMT) : >> intrigeri wrote (18 Jan 2015 21:45:15 GMT) : >>> I see this thread has been quiet for a bit more than a month. > >>> Maybe it's time for someone to sum up whatever consensus was reached, >>> and whatever disagreement may still be remaining? > >>> Jake, maybe? > >> Ping? > > OK, OK, here we go :) > > Thank you all for your contribution! > > I have compiled everything that everybody seemed to agree in this > thread, into a Git branch (feature/various-firewall-hardening). > I'll build it and run our automated test suite on it. > > There's one question below, mainly for Oliver-Tobias, but anyone else > is free to have a look. > > Anyone who participated in this thread, please consider checking my > summary below. This is _not_ my area of expertise, and it may very > well be that I got something wrong from your discussion, which is why > I was asking for someone else to sum it up a year ago. > Thanks in advance!
It's even less my area of expertise but I remember this discussion around "RELATED ESTABLISHED" as interesting :) Nonetheless, searching for "RELATED ESTABLISHED" on Redmine doesn't return anything. So I'm just wondering whether we have tickets to track this? > Note that all patches pasted below are entirely untested. > > Regarding the firewall rules, I think the agreement that was reached > is: > > --- a/config/chroot_local-includes/etc/ferm/ferm.conf > +++ b/config/chroot_local-includes/etc/ferm/ferm.conf > @@ -15,7 +15,7 @@ domain ip { > policy DROP; > > # Established incoming connections are accepted. > - mod state state (RELATED ESTABLISHED) ACCEPT; > + mod state state (ESTABLISHED) ACCEPT; > > # Traffic on the loopback interface is accepted. > interface lo ACCEPT; > @@ -25,7 +25,7 @@ domain ip { > policy DROP; > > # Established outgoing connections are accepted. > - mod state state (RELATED ESTABLISHED) ACCEPT; > + mod state state (ESTABLISHED) ACCEPT; > > # White-list access to local resources > outerface lo { _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.