Feature #6333

firewall exceptions for user-run local services

Added by anonym 2013-10-04 05:44:40 . Updated 2013-11-06 13:28:31 .

Status:
Confirmed
Priority:
Low
Assignee:
Category:
Target version:
Start date:
2013-10-04
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

A user on tails-support@ wondered why setting up a standard SSH forwarding proxy fails in Tails. Of course, this is our restrictive local services white-list at play. To make new local services accessible we could add a firewall exception so that all users (or only amnesia and root?) can access lo on a “safe” TCP port range that we know no default Tails application will listen on, perhaps 10000-10999, and document this in the “Advanced topics” section.

One could also go a script/wrapper based approach that dynamically adds/removes exceptions upon user request (perhaps requiring an administrator password + sudo if we feel that’s safer), but that has several disadvantages (bot no string advantages?) which makes it look pretty unattractive:

  • added complexity
  • ferm removing the exception on network up unless we manipulate ferm.conf (more complexity)
  • sanitizing input since we deal with very sensitive parts of Tails’ configuration (no big deal, probably)
  • wrappers that remove the exception on exit don’t work well with forking/backgrounding processes
  • requires using the terminal

Important questions to answer:

  1. Should the exception only be made for the amnesia user and root, or all users? One could imagine a user installing some local service via APT that adds a new user running the service. (This would be up to the user with dynamic wrapper/script approaches)
  2. Are TCP ports enough or are there reasonable use cases involving UDP?
  3. What’s a “safe” port range? (Once decided and implemented, we should check that it’s unused by default in the automated test suite.)
  4. Do we want a dynamic script/wrapper-based solution, despite its disadvantages, or is a static, always-on solution safe enough?

Subtasks


Related issues

Related to Tails - Feature #15167: Decide what to do with LAN traffic Confirmed 2018-01-15
Related to Tails - Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services Confirmed 2016-04-03

History

#1 Updated by intrigeri 2013-11-06 13:28:31

  • Status changed from New to Confirmed
  • Priority changed from Normal to Low
  • Type of work changed from Discuss to Research

Good research + patches are welcome (as per November 2013 dev meeting).

#2 Updated by Anonymous 2018-08-19 08:29:42

#3 Updated by Anonymous 2018-08-19 08:30:12

  • related to Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added