disable AutomapHostsOnResolve
Originally created by Tails on #5296 (Redmine)
AutomapHostsOnResolve moves remote stuff to the 127.192.0.0/10
address
space, which makes firewalling harder and leaks more possible.
Probably we should back this hit’n’run -like argument up a bit before discussing it and making a decision, hence the todo/research tag :)
Currently only the
amnesia
user is in need of this, and as such has access to Tor’sTransPort
. If we make it so that onlyamnesia
has access to the127.192.0.0/10
address space, there should be no possibility of any more leaks than in other situations.Actually, in Tails 0.17.2, as said above only the
amnesia
user has access to Tor’sTransPort
(9040). Any other user who tries to use an automapped address (127.192.0.0/10
) is forbidden to do so:Dropped outbound packet: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7190 DF PROTO=TCP SPT=58781 DPT=9040 WINDOW=32792 RES=0x00 SYN URGP=0 UID=0 GID=0
… while the
amnesia
user can do the same flawlessly.Test case for anyone to reproduce:
curl 127.192.0.1:11371
after havingtor-resolve
’d2eghzlv2wwcq7u7y.onion
to 127.192.0.1.Therefore, what’s already in place does exactly what we decided we wanted. Now documented on Network filter.