Commit 1c588824 authored by anonym's avatar anonym

Rearrange Tor's ferm rules vs the LAN rules.

We want to allow something in Tor's rule that is blocked in the LAN
rules, so the Tor rule must be listed first.
parent 4fc2cd47
......@@ -100,6 +100,12 @@ domain ip {
proto udp dport domain ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
proto udp dport domain ACCEPT;
}
# Local network connections should not go through Tor but DNS shall be
# rejected. (Note that we exclude the VirtualAddrNetwork used for
# .onion:s here.)
......@@ -111,12 +117,6 @@ domain ip {
ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
proto udp dport domain ACCEPT;
}
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
REJECT reject-with icmp-port-unreachable;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment