Commit 4e29ab15 authored by Tails developers's avatar Tails developers
Browse files

Restrict clearnet to TCP connections on any port and UDP DNS queries.

parent 82a371ee
......@@ -15,13 +15,11 @@
# Internal network connections are accepted (see exception below).
[0:0] -A OUTPUT -m owner ! --uid-owner clearnet -d 127.0.0.0/255.0.0.0 -j ACCEPT
# clearnet is allowed to do anything it wants to on external
# clearnet is allowed to connect to any TCP port via the external
# interfaces (but lo is blocked so it cannot interfere with Tor etc)
# including DNS on the LAN.
# FIXME: Do we want to restrict on destination port as well, e.g. only
# allow http(s) and dns? It wouldn't offer much protection, and would
# break weirdly configured captive portals using non-standard ports.
[0:0] -A OUTPUT ! -o lo -m owner --uid-owner clearnet -j ACCEPT
# including DNS on the LAN. UDP DNS queries are also allowed.
[0:0] -A OUTPUT ! -o lo -p TCP -m owner --uid-owner clearnet -j ACCEPT
[0:0] -A OUTPUT ! -o lo -p UDP -m owner --uid-owner clearnet --dport domain -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment