firewall exceptions for user-run local services
Originally created by @anonym on #6333 (Redmine)
A user on tails-support@ wondered why setting up a standard SSH
forwarding proxy fails in Tails. Of course, this is our restrictive
local services white-list at play. To make new local services accessible
we could add a firewall exception so that all users (or only amnesia and
root?) can access lo
on a “safe” TCP port range that we know no
default Tails application will listen on, perhaps 10000-10999, and
document this in the “Advanced topics” section.
One could also go a script/wrapper based approach that dynamically
adds/removes exceptions upon user request (perhaps requiring an
administrator password + sudo
if we feel that’s safer), but that has
several disadvantages (bot no string advantages?) which makes it look
pretty unattractive:
- added complexity
- ferm removing the exception on network up unless we manipulate ferm.conf (more complexity)
- sanitizing input since we deal with very sensitive parts of Tails’ configuration (no big deal, probably)
- wrappers that remove the exception on exit don’t work well with forking/backgrounding processes
- requires using the terminal
Important questions to answer:
- Should the exception only be made for the amnesia user and root, or all users? One could imagine a user installing some local service via APT that adds a new user running the service. (This would be up to the user with dynamic wrapper/script approaches)
- Are TCP ports enough or are there reasonable use cases involving UDP?
- What’s a “safe” port range? (Once decided and implemented, we should check that it’s unused by default in the automated test suite.)
- Do we want a dynamic script/wrapper-based solution, despite its disadvantages, or is a static, always-on solution safe enough?
Related issues
- Related to #15167
- Related to #5688 (closed)