Bug #11391
Reduce attack surface with firewall hardening
Start date:
2016-04-29
Due date:
% Done:
100%
Description
Following up on “[Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls”:
- Disable netfilter’s
nf_conntrack_helper
- don’t accept RELATED packets
- Enable Packetization Layer Path MTU Discovery for IPv4 (needed once we drop RELATED packets, and may fix unrelated problems)
Subtasks
History
#1 Updated by intrigeri 2016-04-29 11:57:26
- Feature Branch set to feature/11391-firewall-hardening
#2 Updated by intrigeri 2016-04-30 06:27:24
- % Done changed from 10 to 40
I did a full test suite run (+ some retries to cope with the usual robustness issues) and everything now passes. Next (and hopefully last) step is to check if the design doc needs an update; there was some useful input in the thread on tails-dev@, that might be worth capturing.
#3 Updated by intrigeri 2016-05-03 09:33:39
- Assignee changed from intrigeri to anonym
- % Done changed from 40 to 50
- QA Check set to Ready for QA
Design doc drafted, please review and merge :)
#4 Updated by anonym 2016-05-09 03:22:26
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
#5 Updated by anonym 2016-06-08 01:26:33
- Status changed from Fix committed to Resolved