summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/etc/ferm/ferm.conf
blob: 48e6593101d278ad5e1376507911e1b1740a0b3b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# -*- mode: conf[space] -*-
#
#  Configuration file for ferm(1).
#

# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
# only be enabled if the string "i2p" is entered at the boot prompt.
# Deny or reject rules affecting "i2psvc" will always be set.
def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;

# When ferm starts initially during early boot, the "amnesia" user does not
# exist yet, so we have to use its UID (#7018).
def $amnesia_uid = 1000;

# IPv4
domain ip {
    table filter {
        chain INPUT {
            policy DROP;

            # Established incoming connections are accepted.
            mod state state (ESTABLISHED) ACCEPT;

            # Traffic on the loopback interface is accepted.
            interface lo ACCEPT;
        }

        chain OUTPUT {
            policy DROP;

            # Established outgoing connections are accepted.
            mod state state (ESTABLISHED) ACCEPT;

            # White-list access to local resources
            outerface lo {
                # Related outgoing ICMP packets are accepted.
                mod state state (RELATED) proto icmp ACCEPT;

                # White-list access to Tor's SOCKSPort's
                daddr 127.0.0.1 proto tcp syn dport 9050 {
                    mod owner uid-owner root ACCEPT;
                    mod owner uid-owner proxy ACCEPT;
                    mod owner uid-owner nobody ACCEPT;
                }
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9150) {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }
                daddr 127.0.0.1 proto tcp syn dport 9062 {
                    mod owner uid-owner htp ACCEPT;
                    mod owner uid-owner tails-iuk-get-target-file ACCEPT;
                    mod owner uid-owner tails-upgrade-frontend ACCEPT;
                }

                # White-list access to Tor's ControlPort
                daddr 127.0.0.1 proto tcp dport 9052 {
                    # Needed by a workaround in tordate (NM's 20-time.sh hook)
                    # for temporarily changing Tor's logging severity.
                    mod owner uid-owner root ACCEPT;
                }

                # White-list access to the Tor control port filter
                daddr 127.0.0.1 proto tcp dport 9051 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                    mod owner uid-owner tor-launcher ACCEPT;
                }

                # White-list access to Tor's TransPort
                daddr 127.0.0.1 proto tcp dport 9040 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # White-list access to system DNS and Tor's DNSPort
                daddr 127.0.0.1 proto udp dport (53 5353) {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
                daddr 127.0.0.1 proto udp dport 5353 {
                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
                }

                # White-list access to ttdnsd
                daddr 127.0.0.2 proto udp dport 53 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }
                daddr 127.0.0.2 proto tcp syn dport 53 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # White-list access to the accessibility daemon
                daddr 127.0.0.1 proto tcp syn dport 4101 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
                # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
                    @if $use_i2p mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # Whitelist access to I2P services for the i2psvc user,
                # otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
                # accessed by the webmail app
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
                }

                # Whitelist access to the i2pbrowser user
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
                    @if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
                }

                # White-list access to the java wrapper's (used by I2P) control ports
                # (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
                # If, for example, port 31000 is in use, it'll try the next one in sequence.
                daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
                }

                # White-list access to CUPS
                daddr 127.0.0.1 proto tcp syn dport 631 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # White-list access to Monkeysphere
                daddr 127.0.0.1 proto tcp syn dport 6136 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

                # White-list access to OnionShare
                daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
                    mod owner uid-owner amnesia ACCEPT;
                }
            }

            # clearnet is allowed to connect to any TCP port via the
            # external interfaces (but lo is blocked so it cannot interfere
            # with Tor etc) including DNS on the LAN. UDP DNS queries are
            # also allowed.
            outerface ! lo mod owner uid-owner clearnet {
                proto tcp ACCEPT;
                proto udp dport domain ACCEPT;
            }

            # Local network connections should not go through Tor but DNS shall be
            # rejected. I2P is explicitly blocked from communicating with the LAN.
            # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                proto tcp dport domain REJECT;
                proto udp dport domain REJECT;
                mod owner uid-owner i2psvc REJECT;
                ACCEPT;
            }

            # Tor is allowed to do anything it wants to.
            mod owner uid-owner debian-tor {
                proto tcp syn mod state state (NEW) ACCEPT;
            }

            # i2p is allowed to do anything it wants to on the internet.
            outerface ! lo mod owner uid-owner i2psvc {
                @if $use_i2p proto (tcp udp) ACCEPT;
            }

            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp-port-unreachable;
        }

        chain FORWARD {
            policy DROP;
        }
    }

    table nat {
        chain PREROUTING {
            policy ACCEPT;
        }

        chain POSTROUTING {
            policy ACCEPT;
        }

        chain OUTPUT {
            policy ACCEPT;

            # .onion mapped addresses redirection to Tor.
            daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;

            # Redirect system DNS to Tor's DNSport
            daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
        }
    }
}

# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;

            # White-list access to the accessibility daemon
            interface lo saddr ::1 daddr ::1 proto tcp {
                dport 4101 ACCEPT;
                sport 4101 mod state state (ESTABLISHED) ACCEPT;
            }

        }

        chain FORWARD {
            policy DROP;
        }

        chain OUTPUT {
            policy DROP;

            # White-list access to the accessibility daemon
            outerface lo saddr ::1 daddr ::1 proto tcp {
                dport 4101 mod owner uid-owner $amnesia_uid ACCEPT;
                sport 4101 mod state state (ESTABLISHED) ACCEPT;
            }

            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}