Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Author: anonym
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
On 04/12/14 21:16, Oliver-Tobias Ripka wrote:
> According to anonym on Thu, Dec 04 2014:
>
>> FWIW I experienced no issues during my tests with *only* ESTABLISHED in
>> both the INPUT and OUTPUT chains so neither NEW nor RELATED seems
>> essential for the basic usage I tested. And of course the above
>> "exploits" didn't work due to the absence of NEW.
>
> You're right it work with ESTABLISHED only. This is due to whitelisted
> rule for the debian-tor user that may send any kind of packet.
>
> We might consider harden this rule to prevent leaks of other protocols
> by the debian-tor user; basically restrict it to only allow TCP SYN
> packets.


I'm admittedly a bit surprised we aren't already doing "proto tcp" for
the debian-tor user; after all, we're that careful with the i2psvc user
by only allowing protocols it needs (TCP and UDP).

So, in addition to "proto tcp", how does "--syn" compare to "state NEW"?
Actually, what is it we are trying to defend against here? Is there any
conceivable attack vector based on sending non-syn packets for
non-ESTABLISHED (i.e. NEW) TCP streams?

Cheers!