summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2018-01-18 17:36:42 +0100
committeranonym <anonym@riseup.net>2018-01-26 12:08:01 +0100
commit1c588824279bc47f1abc36fb2b12a2a65633e0f4 (patch)
treee8d1b0b8a7ccb101ec89ef24ec54b7135a0a575b
parent4fc2cd479c8ca6b7b2bb6d61309455e863fb9a3d (diff)
Rearrange Tor's ferm rules vs the LAN rules.
We want to allow something in Tor's rule that is blocked in the LAN rules, so the Tor rule must be listed first.
-rw-r--r--config/chroot_local-includes/etc/ferm/ferm.conf12
1 files changed, 6 insertions, 6 deletions
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 79e4909..166dc6e 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -100,6 +100,12 @@ domain ip {
proto udp dport domain ACCEPT;
}
+ # Tor is allowed to do anything it wants to.
+ mod owner uid-owner debian-tor {
+ proto tcp syn mod state state (NEW) ACCEPT;
+ proto udp dport domain ACCEPT;
+ }
+
# Local network connections should not go through Tor but DNS shall be
# rejected. (Note that we exclude the VirtualAddrNetwork used for
# .onion:s here.)
@@ -111,12 +117,6 @@ domain ip {
ACCEPT;
}
- # Tor is allowed to do anything it wants to.
- mod owner uid-owner debian-tor {
- proto tcp syn mod state state (NEW) ACCEPT;
- proto udp dport domain ACCEPT;
- }
-
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
REJECT reject-with icmp-port-unreachable;