Commit 80c593ae authored by Tails developers's avatar Tails developers
Browse files

Add a new user 'clearnet' which is exempt of our firewall restrictions.

parent f18a25b1
#!/bin/sh
# Create the clear user.
#
# We run unsafe-browser under this user, so that we can whitelist its
# non-Torified outgoing packets.
echo "creating the clearnet user"
adduser --system --quiet --group clearnet || :
......@@ -15,6 +15,13 @@
# Internal network connections are accepted.
[0:0] -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# clearnet is allowed to do anything it wants to, including DNS on the
# LAN
# FIXME: Do we want to restrict on destination port as well, e.g. only
# allow http(s) and dns? It wouldn't offer much protection, and would
# break weirdly configured captive portals using non-standard ports.
[0:0] -A OUTPUT -m owner --uid-owner clearnet -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
[0:0] -N lan
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment