Re: [Tails-dev] [review'n'merge 1.?] Bug #7771: printing in …

Delete this message

Reply to this message
Author: Kill Your TV
Date:  
To: tails-dev
Subject: Re: [Tails-dev] [review'n'merge 1.?] Bug #7771: printing in unsafe-browser leads to browser hang
On Tue, 12 Aug 2014 20:13:43 +0000 (UTC)
Kill Your TV <killyourtv@???> wrote:

> Assuming I understood the request properly, I tried the following:
>
> a/config/chroot_local-includes/etc/ferm/ferm.conf +++
> b/config/chroot_local-includes/etc/ferm/ferm.conf @@ -179,6 +179,7 @@
> domain ip6 { table filter {
>          chain INPUT {
>              policy DROP;
> +            daddr ::1 saddr ::1 REJECT;
>          }

>
>          chain FORWARD {



I also tried copying the rule from the OUTPUT chain, wrapping it in a
"interface lo outerface lo" block. When I attempted to restart, ferm
complained, something like "cannot use matches for policy" or the like.
Then I tried the following:

--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -179,6 +179,8 @@ domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
+            LOG log-prefix "Dropped inbound packet: " log-level debug
log-uid;
+            REJECT reject-with icmp6-port-unreachable;
         }



With that (which probably will be line wrapped when I hit send), there
were no blocked inbound connections logged, and the counters for the
INPUT chain didn't increase either, so I think that adding rules to the
INPUT chain probably on't change the behaviour seen with respect to this
ticket; the only blocked activity is seen on the OUTPUT chain.

--
GPG ID: 0x5BF72F42D0952C5A
Fingerprint: BD12 65FD 4954 C40A EBCB F5D7 5BF7 2F42 D095 2C5A