Feature #5293
Block dangerous LAN traffic
0%
Description
It’s still not clear exactly what we want to do with LAN traffic in general (XXX: this should really have a ticket), but on the short run, at least a minimal blacklist of known-bad traffic should be blocked:
- It was reported that NAT-PMP can be used to discover the LAN’s external IP-address on the Internet.
Team: DrWhax, ? (team mate)
Subtasks
Related issues
Related to Tails - Feature #5340: Analyze "vpwns" FOCI12 paper | Confirmed | ||
Blocked by Tails - |
Resolved | 2014-11-05 | |
Blocked by Tails - Feature #15167: Decide what to do with LAN traffic | Confirmed | 2018-01-15 |
History
#1 Updated by intrigeri 2013-07-19 09:58:23
- Starter set to Yes
#2 Updated by alant 2014-01-15 12:58:27
We have been written that “the technical team should take a look at peerblock.com and evaluate incorporating lists from iblocklist.com this would address both dangerous LAN and WAN traffic.”
#3 Updated by BitingBird 2014-06-09 10:43:26
- Subject changed from block dangerous LAN traffic to Block dangerous LAN traffic
#4 Updated by Dr_Whax 2014-07-10 15:48:40
Perhaps we want to have an option in the tails-greeter to boot Tails with it being disabled and a way to temporarily enable it for 5 minutes to print a document. This means that a program would have to be created for this.
However, it’s hard to say in what kind of RFC1918 range you will be on for the local network. E.g, how can you know in advance whether its a 192.168 or 10.10 range? On the mailing list[1] it’s mentioned to parse the DHCP lease to only allow traffic to the local /24 (or more, depending on the lease?).
[1] https://mailman.boum.org/pipermail/tails-dev/2012-August/001490.html
#5 Updated by intrigeri 2014-07-21 16:21:41
> Perhaps we want to have an option in the tails-greeter to boot Tails with it being disabled and a way to temporarily enable it for 5 minutes to print a document. This means that a program would have to be created for this.
To be honest, I’m not too eager to discuss solutions before we’ve finished identifying the exact problems we’re affected by (Feature #5340):
- within our threat model;
- that actually would be solved if we blocked LAN traffic.
#6 Updated by intrigeri 2015-01-10 09:20:29
As a first baby step, we could block all LAN traffic except:
- SSH
- downloading from / uploading to a FTP server
- printing a document on a network printer
- Gobby
- going through whatever steps a captive portal asks me to; this generally involves DNS and HTTP, and potentially random ports => should be open only for the browser that’s allowed to talk to the Lan
- web browsing (using something else than the Tor Browser:
Feature #7976)
#7 Updated by intrigeri 2015-01-10 09:20:51
- blocked by
Feature #7976: Disable LAN access in Tor Browser added
#8 Updated by sajolida 2015-08-14 12:10:31
- Description updated
- Assignee set to Dr_Whax
#9 Updated by sajolida 2015-09-10 11:59:47
- Target version changed from Hardening_M1 to 2016
#10 Updated by Dr_Whax 2016-08-20 12:49:21
- Assignee deleted (
Dr_Whax) - Priority changed from Normal to Elevated
- Target version deleted (
2016)
#11 Updated by intrigeri 2016-12-05 15:05:55
- Starter changed from Yes to No
#12 Updated by anonym 2017-04-20 11:26:18
little-snitch is being re-implemented for linux: https://github.com/evilsocket/opensnitch
#13 Updated by Anonymous 2018-01-15 13:25:39
- blocked by Feature #15167: Decide what to do with LAN traffic added