summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2016-04-30 12:18:15 +0000
committerintrigeri <intrigeri@boum.org>2016-04-30 12:40:10 +0000
commit0f36175afc7bf863a3a3433b6ad9ff3e987e084b (patch)
tree4b33f3636d5900df8382bf02d94667b76cba8855 /config/chroot_local-includes
parente870563eafc1276137bc0926d04e0092403604e3 (diff)
Access outgoing related ICMP packets to the loopback interface.
Otherwise: 1. the "I cannot configure the Unsafe Browser to use any local proxies" automated test fails: the browser waits for the "The proxy server is refusing connections" message that is never displayed, because of: Dropped outbound packet: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=80 TOS=0x00 PREC=0xC0 TTL=64 ID=8145 PROTO=ICMP TYPE=3 CODE=3 [SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9959 DF PROTO=TCP SPT=40813 DPT=9050 WINDOW=43690 RES=0x00 SYN URGP=0 ] 2. Electrum, when started with an existing persistent wallet, takes more than two minutes to start, also because of blocked IMCP packets to the loopback interface.
Diffstat (limited to 'config/chroot_local-includes')
-rw-r--r--config/chroot_local-includes/etc/ferm/ferm.conf3
1 files changed, 3 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 32e89ef..edd10d0 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -29,6 +29,9 @@ domain ip {
# White-list access to local resources
outerface lo {
+ # Related outgoing ICMP packets are accepted.
+ mod state state (RELATED) proto icmp ACCEPT;
+
# White-list access to Tor's SOCKSPort's
daddr 127.0.0.1 proto tcp syn dport 9050 {
mod owner uid-owner root ACCEPT;