Access outgoing related ICMP packets to the loopback interface.
Otherwise: 1. the "I cannot configure the Unsafe Browser to use any local proxies" automated test fails: the browser waits for the "The proxy server is refusing connections" message that is never displayed, because of: Dropped outbound packet: IN= OUT=lo SRC= DST= LEN=80 TOS=0x00 PREC=0xC0 TTL=64 ID=8145 PROTO=ICMP TYPE=3 CODE=3 [SRC= DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9959 DF PROTO=TCP SPT=40813 DPT=9050 WINDOW=43690 RES=0x00 SYN URGP=0 ] 2. Electrum, when started with an existing persistent wallet, takes more than two minutes to start, also because of blocked IMCP packets to the loopback interface.
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 32e89ef..edd10d0 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -29,6 +29,9 @@ domain ip {
# White-list access to local resources
outerface lo {
+ # Related outgoing ICMP packets are accepted.
+ mod state state (RELATED) proto icmp ACCEPT;
# White-list access to Tor's SOCKSPort's
daddr proto tcp syn dport 9050 {
mod owner uid-owner root ACCEPT;