firewall lockdown
Originally created by Tails on #5310 (Redmine)
Our filewall could use a more whitelist and principle of least privilege oriented approach. Not only may it block potential leaks and deanonymization attacks by compromised processes, but it will also force us to be really conscious about new loopback services and users that are added, which is good in itself.
The general idea is:
- We reject all loopback connections by default, both IPv4 and IPv6.
- For each user and service (on loopback) combination we want to allow we create an iptables rule.
- Prefer IPv4 for local services so we don’t have to maintain an additional set of rules for IPv6 (e.g. I2P and cupsd currently use IPv6).
- Enable logging of dropped packets (helps with identifying miscofigured applications).
- Try to eliminate all unnecessary sources of dropped packets.
Some example of user access rights:
- For the
amnesia
user we allow:- Tor’s
SOCKSPort
:tcp 127.0.0.1:9050
- Tor’s
ControlPport
:tcp 127.0.0.1:9051
- System DNS:
tcp/udp 127.0.0.1:53
- Polipo:
tcp 127.0.0.1:8118
- I2P:
tcp 127.0.0.1:{4444,4445,6668,7657,7659,7660
- CUPS:
tcp 127.0.0.1:631
- Monkeysphere
tcp 127.0.0.1:6136
(MSVA_PORT=6316
in environment)
- Tor’s
- For the
htp
user we allow:- System DNS:
tcp/udp 127.0.0.1:53
- Polipo:
tcp 127.0.0.1:8118
- System DNS:
- For the
pdnsd
user (which runs the "System DNS" service allowed for theamnesia
andhtp
users above) we allow:- Tor’s
DNSPort
:tcp 127.0.0.1:8853
- ttdnsd:
tcp/udp 127.0.0.2:53
- Tor’s
Note: ttdnsd is hardcoded to chuid to nobody but since nobody might be used for other processes with other requirements (e.g. jake’s other project which we may consider using at some point, tlsdate, which has the same hardcoded privelege drop) it’d be great if we could send a patch/request to upstream ttdnsd for adding a "—chuid " option. I don’t think any other process in Tails runs as the nobody user right now, so there’s no hurry.
Implementated in the feature/firewall_lockdown
branch.
Merged in devel, implemented in 0.13.