Re: [Tails-dev] firewall rules

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] firewall rules
On 7/24/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> (happy to see someone look at these rules in details, and question
> part of it!)
>


Thank you for the positive feedback!

> Jacob Appelbaum wrote (24 Jul 2014 01:28:54 GMT) :
>> When would we ever have a RELATED or ESTABLISHED ipv6 connection when
>> everything is dropped?
>
> I think the only reasons to have these rules are:
>
> 1. it makes it *slightly* easier to develop and test stuff based on
>    OnionCat. Arguably, this hasn't happened recently, so it's a bit
>    weak reason.


That sounds like a great reason to find a way to make it easy to
dynamically change the firewall for such an application - can ferm
easily load different rules on demand?

> 2. historically (before we used ferm), at some point, we did accept
>    incoming and outgoing IPv6 on the loopback interface. When we
>    changed this (commit b4c48aa), we kept the RELATED/ESTABLISHED
>    rules; no idea why, I would guess that this fix went into
>    a point-release, and we wanted to keep the changes minimal.

>


Ok. I can make such a patch.

> I personally would be glad to apply a patch that changes this.


Sounds good.

>
> I'd like this patch (or branch) to have been used quite a bit on
> a Tails system first (and the exact scope of the tests documented),
> and then we can run the automated test suite on an ISO built from it
> before merging.
>


I've been using it for the last ~24hrs without issue.

> (In other words: the proposed change seems very unrisky to me, so
> *this* time, I don't feel the need to insist on having a branch that's
> been tested by building an ISO from it, and testing the result :)
>
>> Furthermore, do we really want to REJECT with
>> reject-with icmp6-port-unreachable? Why not simply drop it on the
>> floor silently?
>
> It was copied straight from the IPv4 firewall configuration in 2010.
> It might help some badly torified and/or leaky applications give up
> IPv6 earlier => possibly some performance (and then, usability)
> improvements. Possibly minor, possibly important, can't know without
> extensive testing, I would say.
>


Ok. That sounds like a reason to just DROP the packet on the floor.

> TBH, I see little use in going through this process, and risking to
> introduce a surprising regression. What are the drawbacks with keeping
> the current REJECT rule, exactly?
>


Tails should be silent - these rules make Tails behave in a way that
deviates from silence. I guess it is a fingerprint on the network, no?

>> Obviously, if a Tails user wants to use an IPv6 bridge or only has
>> IPv6, it wouldn't work... Does it work at the moment for anyone?
>
> I'm not aware of anyone having worked on this yet. I'd be delighted to
> see some test results and early patches, to get the thing rolling :)
>


That sounds like we need not worry about ipv6 for a while with Tails.

All the best,
Jacob