Created
September 4, 2014 16:04
-
-
Save david415/f04280cbb155b7c01411 to your computer and use it in GitHub Desktop.
old tails ferm.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: conf[space] -*- | |
| # | |
| # Configuration file for ferm(1). | |
| # | |
| # IPv4 | |
| domain ip { | |
| table filter { | |
| chain INPUT { | |
| policy DROP; | |
| # Established incoming connections are accepted. | |
| mod state state (RELATED ESTABLISHED) ACCEPT; | |
| # Traffic on the loopback interface is accepted. | |
| interface lo ACCEPT; | |
| } | |
| chain OUTPUT { | |
| policy DROP; | |
| # Established outgoing connections are accepted. | |
| mod state state (RELATED ESTABLISHED) ACCEPT; | |
| # White-list access to local resources | |
| outerface lo { | |
| # White-list access to Tor's SOCKSPort's | |
| daddr 127.0.0.1 proto tcp syn dport 9050 { | |
| mod owner uid-owner root ACCEPT; | |
| mod owner uid-owner proxy ACCEPT; | |
| mod owner uid-owner nobody ACCEPT; | |
| } | |
| daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9151) { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| daddr 127.0.0.1 proto tcp syn dport 9062 { | |
| mod owner uid-owner htp ACCEPT; | |
| mod owner uid-owner tails-iuk-get-target-file ACCEPT; | |
| mod owner uid-owner tails-upgrade-frontend ACCEPT; | |
| } | |
| # White-list access to Tor's ControlPort | |
| daddr 127.0.0.1 proto tcp dport 9051 { | |
| mod owner uid-owner tor-launcher ACCEPT; | |
| # Needed by a workaround in tordate (NM's 20-time.sh hook) | |
| # for temporarily changing Tor's logging severity. | |
| mod owner uid-owner root ACCEPT; | |
| } | |
| # ssh fu | |
| daddr 127.0.0.1 proto tcp dport 9090 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to the Tor control port filter | |
| daddr 127.0.0.1 proto tcp dport 9052 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to Tor's TransPort | |
| daddr 127.0.0.1 proto tcp dport 9040 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to system DNS and Tor's DNSPort | |
| daddr 127.0.0.1 proto udp dport (53 5353) { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to ttdnsd | |
| daddr 127.0.0.2 proto udp dport 53 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| daddr 127.0.0.2 proto tcp syn dport 53 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to polipo | |
| daddr 127.0.0.1 proto tcp syn dport 8118 { | |
| mod owner uid-owner root ACCEPT; | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to I2P and Tahoe-LAFS | |
| # The Tahoe-LAFS gateway that gets set up in XYZ ??? is | |
| # configured to listen to port 4456, accepting connections | |
| # *only* through the loopback interface. For more information | |
| # about I2P, see https://tails/boum.org/contribute/design/I2P | |
| # and https://geti2p.net/ports | |
| daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (2827 4444 4445 4456 6668 7656 7657 7658 7659 7660 8998) { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to CUPS | |
| daddr 127.0.0.1 proto tcp syn dport 631 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| # White-list access to Monkeysphere | |
| daddr 127.0.0.1 proto tcp syn dport 6136 { | |
| mod owner uid-owner amnesia ACCEPT; | |
| } | |
| } | |
| # clearnet is allowed to connect to any TCP port via the | |
| # external interfaces (but lo is blocked so it cannot interfere | |
| # with Tor etc) including DNS on the LAN. UDP DNS queries are | |
| # also allowed. | |
| outerface ! lo mod owner uid-owner clearnet { | |
| proto tcp ACCEPT; | |
| proto udp dport domain ACCEPT; | |
| } | |
| # Local network connections should not go through Tor but DNS shall be | |
| # rejected. | |
| # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.) | |
| daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" { | |
| proto tcp dport domain REJECT; | |
| proto udp dport domain REJECT; | |
| ACCEPT; | |
| } | |
| # Tor is allowed to do anything it wants to. | |
| mod owner uid-owner debian-tor ACCEPT; | |
| # i2p is allowed to do anything it wants to. | |
| mod owner uid-owner i2psvc ACCEPT; | |
| # Everything else is logged and dropped. | |
| LOG log-prefix "Dropped outbound packet: " log-level debug log-uid; | |
| REJECT reject-with icmp-port-unreachable; | |
| } | |
| chain FORWARD { | |
| policy DROP; | |
| } | |
| } | |
| table nat { | |
| chain PREROUTING { | |
| policy ACCEPT; | |
| } | |
| chain POSTROUTING { | |
| policy ACCEPT; | |
| } | |
| chain OUTPUT { | |
| policy ACCEPT; | |
| # .onion mapped addresses redirection to Tor. | |
| daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040; | |
| # Redirect system DNS to Tor's DNSport | |
| daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353; | |
| } | |
| } | |
| } | |
| # IPv6: | |
| domain ip6 { | |
| table filter { | |
| chain INPUT { | |
| policy DROP; | |
| # Established connections are accepted. | |
| mod state state (RELATED ESTABLISHED) ACCEPT; | |
| } | |
| chain FORWARD { | |
| policy DROP; | |
| } | |
| chain OUTPUT { | |
| policy DROP; | |
| # Established connections are accepted. | |
| mod state state (RELATED ESTABLISHED) ACCEPT; | |
| # Everything else is logged and dropped. | |
| LOG log-prefix "Dropped outbound packet: " log-level debug log-uid; | |
| REJECT reject-with icmp6-port-unreachable; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment