Re: [Tails-dev] [review'n'merge 1.1.1] I2P boot parameter, f…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] [review'n'merge 1.1.1] I2P boot parameter, firewall rules, etc.
Hi,

Kill Your TV wrote (07 Aug 2014 12:16:54 GMT) :
>             # Redirect system DNS to Tor's DNSport
>             daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353


Ah, right. I had completely forgotten that we've done that as part of
the bridges support (commit 69ae076). So, indeed talking to port 5353
is needed.

> but I thought that 
>              outerface ! lo mod owner uid-owner i2psvc {
>                  @if $use_i2p proto (tcp udp) ACCEPT;
>              }


> would allow DNS resolution.


No, because the resolver is listening on the lo interface.

> When it didn't, I explicitly ACCEPTED DNS requests with


> +                @if $use_i2p proto udp dport domain ACCEPT;
>                  @if $use_i2p proto (tcp udp) ACCEPT;


> because I thought that would override the redirect around line 173, but
> DNS requests made by the i2psvc user still get redirected to the
> TorDNS port.


Indeed, the redirection lives in the OUTPUT chain of the nat table,
so it can't be overriden by anything in the filter table.

> Since the explicit DNS exception didn't do what I expected it to,
> I removed it.


OK, makes sense, and I now understand why I2P is talking to port 5353 :)

Thanks!

Cheers,
--
intrigeri