# -*- mode: conf[space] -*- # # Configuration file for ferm(1). # # When ferm starts initially during early boot, the "amnesia" user does not # exist yet, so we have to use its UID (#7018). def $amnesia_uid = 1000; # IPv4 domain ip { table filter { chain INPUT { policy DROP; # Established incoming connections are accepted. mod state state (ESTABLISHED) ACCEPT; # Traffic on the loopback interface is accepted. interface lo ACCEPT; } chain OUTPUT { policy DROP; # Established outgoing connections are accepted. mod state state (ESTABLISHED) ACCEPT; # White-list access to local resources outerface lo { # Related outgoing ICMP packets are accepted. mod state state (RELATED) proto icmp ACCEPT; # White-list access to Tor's SOCKSPort's daddr 127.0.0.1 proto tcp syn dport 9050 { mod owner uid-owner _apt ACCEPT; mod owner uid-owner proxy ACCEPT; mod owner uid-owner nobody ACCEPT; } daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9150) { mod owner uid-owner $amnesia_uid ACCEPT; } daddr 127.0.0.1 proto tcp syn dport 9062 { mod owner uid-owner htp ACCEPT; mod owner uid-owner tails-iuk-get-target-file ACCEPT; mod owner uid-owner tails-upgrade-frontend ACCEPT; } # White-list access to Tor's ControlPort daddr 127.0.0.1 proto tcp dport 9052 { # Needed for running the Tor control port filter mod owner uid-owner root ACCEPT; } # White-list access to the Tor control port filter daddr 127.0.0.1 proto tcp dport 9051 { mod owner uid-owner $amnesia_uid ACCEPT; mod owner uid-owner tor-launcher ACCEPT; } # White-list access to Tor's TransPort daddr 127.0.0.1 proto tcp dport 9040 { mod owner uid-owner $amnesia_uid ACCEPT; } # White-list access to system DNS and Tor's DNSPort daddr 127.0.0.1 proto udp dport (53 5353) { mod owner uid-owner $amnesia_uid ACCEPT; mod owner uid-owner _apt DROP; } # White-list access to the accessibility daemon daddr 127.0.0.1 proto tcp syn dport 4101 { mod owner uid-owner $amnesia_uid ACCEPT; mod owner uid-owner Debian-gdm ACCEPT; } # White-list access to CUPS daddr 127.0.0.1 proto tcp syn dport 631 { mod owner uid-owner $amnesia_uid ACCEPT; } # White-list access to Monkeysphere daddr 127.0.0.1 proto tcp syn dport 6136 { mod owner uid-owner $amnesia_uid ACCEPT; } # White-list access to OnionShare daddr 127.0.0.1 proto tcp syn dport 17600:17650 { mod owner uid-owner $amnesia_uid ACCEPT; } } # clearnet is allowed to connect to any TCP port via the # external interfaces (but lo is blocked so it cannot interfere # with Tor etc) including DNS on the LAN. UDP DNS queries are # also allowed. outerface ! lo mod owner uid-owner clearnet { proto tcp ACCEPT; proto udp dport domain ACCEPT; } # Local network connections should not go through Tor but DNS shall be # rejected. (Note that we exclude the VirtualAddrNetwork used for # .onion:s here.) daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" { proto tcp dport domain REJECT; proto udp dport domain REJECT; proto tcp dport netbios-ns REJECT; proto udp dport netbios-ns REJECT; ACCEPT; } # Tor is allowed to do anything it wants to. mod owner uid-owner debian-tor { proto tcp syn mod state state (NEW) ACCEPT; } # Everything else is logged and dropped. LOG log-prefix "Dropped outbound packet: " log-level debug log-uid; REJECT reject-with icmp-port-unreachable; } chain FORWARD { policy DROP; } } table nat { chain PREROUTING { policy ACCEPT; } chain POSTROUTING { policy ACCEPT; } chain OUTPUT { policy ACCEPT; # .onion mapped addresses redirection to Tor. daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040; # Redirect system DNS to Tor's DNSport daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353; } } } # IPv6: domain ip6 { table filter { chain INPUT { policy DROP; # White-list access to the accessibility daemon interface lo saddr ::1 daddr ::1 proto tcp { dport 4101 ACCEPT; sport 4101 mod state state (ESTABLISHED) ACCEPT; } } chain FORWARD { policy DROP; } chain OUTPUT { policy DROP; # White-list access to the accessibility daemon outerface lo saddr ::1 daddr ::1 proto tcp { dport 4101 mod owner uid-owner $amnesia_uid ACCEPT; dport 4101 mod owner uid-owner Debian-gdm ACCEPT; sport 4101 mod state state (ESTABLISHED) ACCEPT; } # Everything else is logged and dropped. LOG log-prefix "Dropped outbound packet: " log-level debug log-uid; REJECT reject-with icmp6-port-unreachable; } } }