| blob | 6a433131354c3a96f680b4a130e0379cb1987775 |
1 # -*- mode: conf[space] -*-
2 #
3 # Configuration file for ferm(1).
4 #
6 # I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
7 # only be enabled if the string "i2p" is entered at the boot prompt.
8 # Deny or reject rules affecting "i2psvc" will always be set.
9 def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
11 # IPv4
12 domain ip {
13 table filter {
14 chain INPUT {
15 policy DROP;
17 # Established incoming connections are accepted.
18 mod state state (RELATED ESTABLISHED) ACCEPT;
20 # Traffic on the loopback interface is accepted.
21 interface lo ACCEPT;
22 }
24 chain OUTPUT {
25 policy DROP;
27 # Established outgoing connections are accepted.
28 mod state state (RELATED ESTABLISHED) ACCEPT;
30 # White-list access to local resources
31 outerface lo {
32 # White-list access to Tor's SOCKSPort's
33 daddr 127.0.0.1 proto tcp syn dport 9050 {
34 mod owner uid-owner root ACCEPT;
35 mod owner uid-owner proxy ACCEPT;
36 mod owner uid-owner nobody ACCEPT;
37 }
38 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9150) {
39 mod owner uid-owner amnesia ACCEPT;
40 }
41 daddr 127.0.0.1 proto tcp syn dport 9062 {
42 mod owner uid-owner htp ACCEPT;
43 mod owner uid-owner tails-iuk-get-target-file ACCEPT;
44 mod owner uid-owner tails-upgrade-frontend ACCEPT;
45 }
47 # White-list access to Tor's ControlPort
48 daddr 127.0.0.1 proto tcp dport 9051 {
49 mod owner uid-owner tor-launcher ACCEPT;
50 # Needed by a workaround in tordate (NM's 20-time.sh hook)
51 # for temporarily changing Tor's logging severity.
52 mod owner uid-owner root ACCEPT;
53 }
55 # White-list access to the Tor control port filter
56 daddr 127.0.0.1 proto tcp dport 9052 {
57 mod owner uid-owner amnesia ACCEPT;
58 }
60 # White-list access to Tor's TransPort
61 daddr 127.0.0.1 proto tcp dport 9040 {
62 mod owner uid-owner amnesia ACCEPT;
63 }
65 # White-list access to system DNS and Tor's DNSPort
66 daddr 127.0.0.1 proto udp dport (53 5353) {
67 mod owner uid-owner amnesia ACCEPT;
68 }
70 # Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
71 daddr 127.0.0.1 proto udp dport 5353 {
72 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
73 }
75 # White-list access to ttdnsd
76 daddr 127.0.0.2 proto udp dport 53 {
77 mod owner uid-owner amnesia ACCEPT;
78 }
79 daddr 127.0.0.2 proto tcp syn dport 53 {
80 mod owner uid-owner amnesia ACCEPT;
81 }
83 # White-list access to polipo
84 daddr 127.0.0.1 proto tcp syn dport 8118 {
85 mod owner uid-owner root ACCEPT;
86 mod owner uid-owner amnesia ACCEPT;
87 }
89 # White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
90 # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
91 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
92 @if $use_i2p mod owner uid-owner amnesia ACCEPT;
93 }
95 # Whitelist access to I2P services for the i2psvc user,
96 # otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
97 # accessed by the webmail app
98 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
99 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
100 }
102 # Whitelist access to the i2pbrowser user
103 daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
104 @if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
105 }
107 # White-list access to the java wrapper's (used by I2P) control ports
108 # (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
109 # If, for example, port 31000 is in use, it'll try the next one in sequence.
110 daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
111 @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
112 }
114 # White-list access to CUPS
115 daddr 127.0.0.1 proto tcp syn dport 631 {
116 mod owner uid-owner amnesia ACCEPT;
117 }
119 # White-list access to Monkeysphere
120 daddr 127.0.0.1 proto tcp syn dport 6136 {
121 mod owner uid-owner amnesia ACCEPT;
122 }
123 }
125 # clearnet is allowed to connect to any TCP port via the
126 # external interfaces (but lo is blocked so it cannot interfere
127 # with Tor etc) including DNS on the LAN. UDP DNS queries are
128 # also allowed.
129 outerface ! lo mod owner uid-owner clearnet {
130 proto tcp ACCEPT;
131 proto udp dport domain ACCEPT;
132 }
134 # Local network connections should not go through Tor but DNS shall be
135 # rejected. I2P is explicitly blocked from communicating with the LAN.
136 # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
137 daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
138 proto tcp dport domain REJECT;
139 proto udp dport domain REJECT;
140 mod owner uid-owner i2psvc REJECT;
141 ACCEPT;
142 }
144 # Tor is allowed to do anything it wants to.
145 mod owner uid-owner debian-tor ACCEPT;
147 # i2p is allowed to do anything it wants to on the internet.
148 outerface ! lo mod owner uid-owner i2psvc {
149 @if $use_i2p proto (tcp udp) ACCEPT;
150 }
152 # Everything else is logged and dropped.
153 LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
154 REJECT reject-with icmp-port-unreachable;
155 }
157 chain FORWARD {
158 policy DROP;
159 }
160 }
162 table nat {
163 chain PREROUTING {
164 policy ACCEPT;
165 }
167 chain POSTROUTING {
168 policy ACCEPT;
169 }
171 chain OUTPUT {
172 policy ACCEPT;
174 # .onion mapped addresses redirection to Tor.
175 daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;
177 # Redirect system DNS to Tor's DNSport
178 daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
179 }
180 }
181 }
183 # IPv6:
184 domain ip6 {
185 table filter {
186 chain INPUT {
187 policy DROP;
188 }
190 chain FORWARD {
191 policy DROP;
192 }
194 chain OUTPUT {
195 policy DROP;
196 # Everything else is logged and dropped.
197 LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
198 REJECT reject-with icmp6-port-unreachable;
199 }
200 }
201 }