Re: [Tails-dev] IPv6 firewall: accept RELATED, ESTABLISHED …

Delete this message

Reply to this message
Author: isis agora lovecruft
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] IPv6 firewall: accept RELATED, ESTABLISHED connections?
intrigeri transcribed 0.8K bytes:
> Alan wrote (28 Oct 2013 12:41:45 GMT) :
> > During 0.21 testing session, I noticed that we accept IPv6
> > RELATED,ESTABLISHED connections while we drop everything else. Is there
> > any good reason to do that?
>
> No idea. As far as I understand it, removing these rules would have
> absolutely no impact on the actual rules processing (my understanding
> is that no packet can reach RELATED/ESTABLISHED state if new packets
> are not allowed to start with). So, I see no problem that would need
> to be solved here.
>
> If anyone thinks differently, and believe there's an actual problem to
> solve here, I'm happy to see people experiment and propose a branch.


If it's useful to whoever wants to experiment with it, there is a script
attached from my current firewall -- it handles Tor and Transproxy settings
for IPv4 and IPv6.

It would need to be triple checked for leaks, especially the IPv6 Transproxy
parts, but it's perhaps a start. FWIW, there *are* quite a few IPv6 bridges
and relays now, and IPv6 still seems to not be touched by all the various DPI
boxes.

--
♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt