| blob | 113ad840c99a0deb4e1ec79e48f16c4b51f368c3 |
1 # -*- mode: conf[space] -*-
2 #
3 # Configuration file for ferm(1).
4 #
6 # I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
7 # only be enabled if the string "i2p" is entered at the boot prompt.
8 # Deny or reject rules affecting "i2psvc" will always be set.
9 def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
11 # IPv4
12 domain ip {
13 table filter {
14 chain INPUT {
15 policy DROP;
17 # Established incoming connections are accepted.
18 mod state state (RELATED ESTABLISHED) ACCEPT;
20 # Traffic on the loopback interface is accepted.
21 interface lo ACCEPT;
22 }
24 chain OUTPUT {
25 policy DROP;
27 # Established outgoing connections are accepted.
28 mod state state (RELATED ESTABLISHED) ACCEPT;
30 # White-list access to local resources
31 outerface lo {
32 # White-list access to Tor's SOCKSPort's
33 daddr 127.0.0.1 proto tcp syn dport 9050 {
34 mod owner uid-owner root ACCEPT;
35 mod owner uid-owner proxy ACCEPT;
36 mod owner uid-owner nobody ACCEPT;
37 }
38 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9151) {
39 mod owner uid-owner amnesia ACCEPT;
40 }
41 daddr 127.0.0.1 proto tcp syn dport 9062 {
42 mod owner uid-owner htp ACCEPT;
43 mod owner uid-owner tails-iuk-get-target-file ACCEPT;
44 mod owner uid-owner tails-upgrade-frontend ACCEPT;
45 }
47 # White-list access to Tor's ControlPort
48 daddr 127.0.0.1 proto tcp dport 9051 {
49 mod owner uid-owner tor-launcher ACCEPT;
50 # Needed by a workaround in tordate (NM's 20-time.sh hook)
51 # for temporarily changing Tor's logging severity.
52 mod owner uid-owner root ACCEPT;
53 }
55 # White-list access to the Tor control port filter
56 daddr 127.0.0.1 proto tcp dport 9052 {
57 mod owner uid-owner amnesia ACCEPT;
58 }
60 # White-list access to Tor's TransPort
61 daddr 127.0.0.1 proto tcp dport 9040 {
62 mod owner uid-owner amnesia ACCEPT;
63 }
65 # White-list access to system DNS and Tor's DNSPort
66 daddr 127.0.0.1 proto udp dport (53 5353) {
67 mod owner uid-owner amnesia ACCEPT;
68 }
70 # Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
71 daddr 127.0.0.1 proto udp dport 5353 {
72 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
73 }
75 # White-list access to ttdnsd
76 daddr 127.0.0.2 proto udp dport 53 {
77 mod owner uid-owner amnesia ACCEPT;
78 }
79 daddr 127.0.0.2 proto tcp syn dport 53 {
80 mod owner uid-owner amnesia ACCEPT;
81 }
83 # White-list access to polipo
84 daddr 127.0.0.1 proto tcp syn dport 8118 {
85 mod owner uid-owner root ACCEPT;
86 mod owner uid-owner amnesia ACCEPT;
87 }
89 # White-list access to I2P services for both the amnesia user (client) and i2psvc (server)
90 # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
91 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 4445 6668 7656 7657 7658 7659 7660 8998) {
92 @if $use_i2p mod owner uid-owner amnesia ACCEPT;
93 }
95 # Whitelist access to I2P services for the i2psvc user,
96 # otherwise mail and eepsite hosting won't work.
97 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
98 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
99 }
101 # White-list access to the java wrapper's (used by I2P) control ports
102 # (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
103 # If, for example, port 31000 is in use, it'll try the next one in sequence.
104 daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
105 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
106 }
108 # White-list access to CUPS
109 daddr 127.0.0.1 proto tcp syn dport 631 {
110 mod owner uid-owner amnesia ACCEPT;
111 }
113 # White-list access to Monkeysphere
114 daddr 127.0.0.1 proto tcp syn dport 6136 {
115 mod owner uid-owner amnesia ACCEPT;
116 }
117 }
119 # clearnet is allowed to connect to any TCP port via the
120 # external interfaces (but lo is blocked so it cannot interfere
121 # with Tor etc) including DNS on the LAN. UDP DNS queries are
122 # also allowed.
123 outerface ! lo mod owner uid-owner clearnet {
124 proto tcp ACCEPT;
125 proto udp dport domain ACCEPT;
126 }
128 # Local network connections should not go through Tor but DNS shall be
129 # rejected. I2P is explicitly blocked from communicating with the LAN.
130 # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
131 daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
132 proto tcp dport domain REJECT;
133 proto udp dport domain REJECT;
134 mod owner uid-owner i2psvc REJECT;
135 ACCEPT;
136 }
138 # Tor is allowed to do anything it wants to.
139 mod owner uid-owner debian-tor ACCEPT;
141 # i2p is allowed to do anything it wants to on the internet.
142 outerface ! lo mod owner uid-owner i2psvc {
143 @if $use_i2p proto (tcp udp) ACCEPT;
144 }
146 # Everything else is logged and dropped.
147 LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
148 REJECT reject-with icmp-port-unreachable;
149 }
151 chain FORWARD {
152 policy DROP;
153 }
154 }
156 table nat {
157 chain PREROUTING {
158 policy ACCEPT;
159 }
161 chain POSTROUTING {
162 policy ACCEPT;
163 }
165 chain OUTPUT {
166 policy ACCEPT;
168 # .onion mapped addresses redirection to Tor.
169 daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;
171 # Redirect system DNS to Tor's DNSport
172 daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
173 }
174 }
175 }
177 # IPv6:
178 domain ip6 {
179 table filter {
180 chain INPUT {
181 policy DROP;
183 # Established connections are accepted.
184 mod state state (RELATED ESTABLISHED) ACCEPT;
185 }
187 chain FORWARD {
188 policy DROP;
189 }
191 chain OUTPUT {
192 policy DROP;
194 # Established connections are accepted.
195 mod state state (RELATED ESTABLISHED) ACCEPT;
197 # Everything else is logged and dropped.
198 LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
199 REJECT reject-with icmp6-port-unreachable;
200 }
201 }
202 }