diff options
| author | intrigeri <intrigeri@boum.org> | 2016-05-11 13:38:18 +0000 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2016-05-11 13:38:18 +0000 |
| commit | 5e06fa66aa90f34c82ae1ff9ccbb617d9ccc008d (patch) | |
| tree | 66d95f9055c142c0bb714abea3dc943e3710bee5 /config/chroot_local-includes | |
| parent | 8194a80299f4166a7ac93e020be77486bb2fae71 (diff) | |
| parent | 5e34dc8cab3620dee1c1a46358f805e3717e3395 (diff) | |
Merge remote-tracking branch 'origin/devel' into feature/10748-gen-packages-manifest
Diffstat (limited to 'config/chroot_local-includes')
4 files changed, 12 insertions, 8 deletions
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf index a7f4a32..edd10d0 100644 --- a/config/chroot_local-includes/etc/ferm/ferm.conf +++ b/config/chroot_local-includes/etc/ferm/ferm.conf @@ -15,7 +15,7 @@ domain ip { policy DROP; # Established incoming connections are accepted. - mod state state (RELATED ESTABLISHED) ACCEPT; + mod state state (ESTABLISHED) ACCEPT; # Traffic on the loopback interface is accepted. interface lo ACCEPT; @@ -25,10 +25,13 @@ domain ip { policy DROP; # Established outgoing connections are accepted. - mod state state (RELATED ESTABLISHED) ACCEPT; + mod state state (ESTABLISHED) ACCEPT; # White-list access to local resources outerface lo { + # Related outgoing ICMP packets are accepted. + mod state state (RELATED) proto icmp ACCEPT; + # White-list access to Tor's SOCKSPort's daddr 127.0.0.1 proto tcp syn dport 9050 { mod owner uid-owner root ACCEPT; @@ -141,7 +144,9 @@ domain ip { } # Tor is allowed to do anything it wants to. - mod owner uid-owner debian-tor ACCEPT; + mod owner uid-owner debian-tor { + proto tcp syn mod state state (NEW) ACCEPT; + } # i2p is allowed to do anything it wants to on the internet. outerface ! lo mod owner uid-owner i2psvc { @@ -188,7 +193,7 @@ domain ip6 { # White-list access to the accessibility daemon interface lo saddr ::1 daddr ::1 proto tcp { dport 4101 ACCEPT; - sport 4101 mod state state (RELATED ESTABLISHED) ACCEPT; + sport 4101 mod state state (ESTABLISHED) ACCEPT; } } @@ -203,7 +208,7 @@ domain ip6 { # White-list access to the accessibility daemon outerface lo saddr ::1 daddr ::1 proto tcp { dport 4101 mod owner uid-owner amnesia ACCEPT; - sport 4101 mod state state (RELATED ESTABLISHED) ACCEPT; + sport 4101 mod state state (ESTABLISHED) ACCEPT; } # Everything else is logged and dropped. diff --git a/config/chroot_local-includes/etc/modprobe.d/no-conntrack-helper.conf b/config/chroot_local-includes/etc/modprobe.d/no-conntrack-helper.conf new file mode 100644 index 0000000..9f4e2da --- /dev/null +++ b/config/chroot_local-includes/etc/modprobe.d/no-conntrack-helper.conf @@ -0,0 +1 @@ +options nf_conntrack nf_conntrack_helper=0 diff --git a/config/chroot_local-includes/etc/skel/.purple/blist.xml b/config/chroot_local-includes/etc/skel/.purple/blist.xml index 7f2d28d..64f2f0b 100644 --- a/config/chroot_local-includes/etc/skel/.purple/blist.xml +++ b/config/chroot_local-includes/etc/skel/.purple/blist.xml @@ -4,9 +4,6 @@ <blist> <group name='Discussions'> <setting name='collapsed' type='bool'>0</setting> - <chat proto='prpl-irc' account='XXX_NICK_XXX@irc.oftc.net'> - <component name='channel'>#tails</component> - </chat> <chat proto='prpl-irc' account='XXX_NICK_XXX@127.0.0.1'> <component name='channel'>#i2p</component> </chat> diff --git a/config/chroot_local-includes/etc/sysctl.d/pmtud.conf b/config/chroot_local-includes/etc/sysctl.d/pmtud.conf new file mode 100644 index 0000000..3e938cd --- /dev/null +++ b/config/chroot_local-includes/etc/sysctl.d/pmtud.conf @@ -0,0 +1 @@ +net.ipv4.tcp_mtu_probing=1 |