ferm.conf 5.94 KB
Newer Older
1
# -*- mode: conf[space] -*-
2 3 4 5
#
#  Configuration file for ferm(1).
#

6 7 8 9
# When ferm starts initially during early boot, the "amnesia" user does not
# exist yet, so we have to use its UID (#7018).
def $amnesia_uid = 1000;

10 11 12 13 14 15 16
# IPv4
domain ip {
    table filter {
        chain INPUT {
            policy DROP;

            # Established incoming connections are accepted.
17
            mod state state (ESTABLISHED) ACCEPT;
18 19 20 21 22 23 24 25 26

            # Traffic on the loopback interface is accepted.
            interface lo ACCEPT;
        }

        chain OUTPUT {
            policy DROP;

            # Established outgoing connections are accepted.
27
            mod state state (ESTABLISHED) ACCEPT;
28 29 30

            # White-list access to local resources
            outerface lo {
31 32 33
                # Related outgoing ICMP packets are accepted.
                mod state state (RELATED) proto icmp ACCEPT;

34
                # White-list access to Tor's SOCKSPort's
35
                daddr 127.0.0.1 proto tcp syn dport 9050 {
anonym's avatar
anonym committed
36
                    mod owner uid-owner _apt ACCEPT;
37 38 39
                    mod owner uid-owner proxy ACCEPT;
                    mod owner uid-owner nobody ACCEPT;
                }
40
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9062 9150) {
41
                    mod owner uid-owner $amnesia_uid ACCEPT;
42 43 44
                }
                daddr 127.0.0.1 proto tcp syn dport 9062 {
                    mod owner uid-owner htp ACCEPT;
45
                    mod owner uid-owner tails-iuk-get-target-file ACCEPT;
46
                    mod owner uid-owner tails-upgrade-frontend ACCEPT;
47
                }
48 49

                # White-list access to Tor's ControlPort
50
                daddr 127.0.0.1 proto tcp dport 9052 {
anonym's avatar
anonym committed
51
                    # Needed for running the Tor control port filter
52
                    mod owner uid-owner root ACCEPT;
53 54
                }

55
                # White-list access to the Tor control port filter
56
                daddr 127.0.0.1 proto tcp dport 9051 {
57
                    mod owner uid-owner $amnesia_uid ACCEPT;
58
                    mod owner uid-owner tor-launcher ACCEPT;
59 60
                }

61 62
                # White-list access to Tor's TransPort
                daddr 127.0.0.1 proto tcp dport 9040 {
63
                    mod owner uid-owner $amnesia_uid ACCEPT;
64 65
                }

66 67
                # White-list access to system DNS and Tor's DNSPort
                daddr 127.0.0.1 proto udp dport (53 5353) {
68
                    mod owner uid-owner $amnesia_uid ACCEPT;
69
                    mod owner uid-owner _apt DROP;
70 71
                }

72 73
                # White-list access to the accessibility daemon
                daddr 127.0.0.1 proto tcp syn dport 4101 {
74
                    mod owner uid-owner $amnesia_uid ACCEPT;
75
                    mod owner uid-owner Debian-gdm ACCEPT;
76 77
                }

78 79
                # White-list access to CUPS
                daddr 127.0.0.1 proto tcp syn dport 631 {
80
                    mod owner uid-owner $amnesia_uid ACCEPT;
81
                }
82 83 84

                # White-list access to OnionShare
                daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
85
                    mod owner uid-owner $amnesia_uid ACCEPT;
86
                }
87 88 89 90 91 92 93 94 95 96 97
            }

            # clearnet is allowed to connect to any TCP port via the
            # external interfaces (but lo is blocked so it cannot interfere
            # with Tor etc) including DNS on the LAN. UDP DNS queries are
            # also allowed.
            outerface ! lo mod owner uid-owner clearnet {
                proto tcp ACCEPT;
                proto udp dport domain ACCEPT;
            }

98 99 100 101 102 103
            # Tor is allowed to do anything it wants to.
            mod owner uid-owner debian-tor {
                proto tcp syn mod state state (NEW) ACCEPT;
                proto udp dport domain ACCEPT;
            }

104
            # Local network connections should not go through Tor but DNS shall be
anonym's avatar
anonym committed
105 106
            # rejected. (Note that we exclude the VirtualAddrNetwork used for
            # .onion:s here.)
107 108 109
            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                proto tcp dport domain REJECT;
                proto udp dport domain REJECT;
110 111
                proto tcp dport netbios-ns REJECT;
                proto udp dport netbios-ns REJECT;
112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
                ACCEPT;
            }

            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp-port-unreachable;
        }

        chain FORWARD {
            policy DROP;
        }
    }

    table nat {
        chain PREROUTING {
            policy ACCEPT;
        }

        chain POSTROUTING {
            policy ACCEPT;
        }

        chain OUTPUT {
            policy ACCEPT;

            # .onion mapped addresses redirection to Tor.
            daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;
139 140 141

            # Redirect system DNS to Tor's DNSport
            daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
142 143 144 145 146 147 148 149 150
        }
    }
}

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
151 152 153 154

            # White-list access to the accessibility daemon
            interface lo saddr ::1 daddr ::1 proto tcp {
                dport 4101 ACCEPT;
155
                sport 4101 mod state state (ESTABLISHED) ACCEPT;
156 157
            }

158 159 160 161 162 163 164 165
        }

        chain FORWARD {
            policy DROP;
        }

        chain OUTPUT {
            policy DROP;
166 167 168

            # White-list access to the accessibility daemon
            outerface lo saddr ::1 daddr ::1 proto tcp {
169
                dport 4101 mod owner uid-owner $amnesia_uid ACCEPT;
170
                dport 4101 mod owner uid-owner Debian-gdm ACCEPT;
171
                sport 4101 mod state state (ESTABLISHED) ACCEPT;
172 173
            }

174 175 176 177 178 179
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}