Project

General

Profile

Feature #5293

Block dangerous LAN traffic

Added by Tails about 6 years ago. Updated about 2 years ago.

Status:
Confirmed
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

It's still not clear exactly what we want to do with LAN traffic in general (XXX: this should really have a ticket), but on the short run, at least a minimal blacklist of known-bad traffic should be blocked:

  • It was reported that NAT-PMP can be used to discover the LAN's external IP-address on the Internet.

Team: DrWhax, ? (team mate)


Related issues

Related to Tails - Feature #5340: Analyze "vpwns" FOCI12 paper Confirmed
Blocked by Tails - Feature #7976: Disable LAN access in Tor Browser Resolved 11/05/2014
Blocked by Tails - Feature #15167: Decide what to do with LAN traffic Confirmed 01/15/2018

History

#1 Updated by intrigeri about 6 years ago

  • Starter set to Yes

#2 Updated by alant over 5 years ago

We have been written that "the technical team should take a look at peerblock.com and evaluate incorporating lists from iblocklist.com this would address both dangerous LAN and WAN traffic."

#3 Updated by BitingBird about 5 years ago

  • Subject changed from block dangerous LAN traffic to Block dangerous LAN traffic

#4 Updated by Dr_Whax about 5 years ago

Perhaps we want to have an option in the tails-greeter to boot Tails with it being disabled and a way to temporarily enable it for 5 minutes to print a document. This means that a program would have to be created for this.

However, it's hard to say in what kind of RFC1918 range you will be on for the local network. E.g, how can you know in advance whether its a 192.168 or 10.10 range? On the mailing list1 it's mentioned to parse the DHCP lease to only allow traffic to the local /24 (or more, depending on the lease?).

[1] https://mailman.boum.org/pipermail/tails-dev/2012-August/001490.html

#5 Updated by intrigeri almost 5 years ago

Perhaps we want to have an option in the tails-greeter to boot Tails with it being disabled and a way to temporarily enable it for 5 minutes to print a document. This means that a program would have to be created for this.

To be honest, I'm not too eager to discuss solutions before we've finished identifying the exact problems we're affected by (#5340):

  • within our threat model;
  • that actually would be solved if we blocked LAN traffic.

#6 Updated by intrigeri over 4 years ago

As a first baby step, we could block all LAN traffic except:

  • SSH
  • downloading from / uploading to a FTP server
  • printing a document on a network printer
  • Gobby
  • going through whatever steps a captive portal asks me to; this generally involves DNS and HTTP, and potentially random ports => should be open only for the browser that's allowed to talk to the Lan
  • web browsing (using something else than the Tor Browser: #7976)

#7 Updated by intrigeri over 4 years ago

  • Blocked by Feature #7976: Disable LAN access in Tor Browser added

#8 Updated by sajolida almost 4 years ago

  • Description updated (diff)
  • Assignee set to Dr_Whax

#9 Updated by sajolida almost 4 years ago

  • Target version changed from Hardening_M1 to 2016

#10 Updated by Dr_Whax almost 3 years ago

  • Assignee deleted (Dr_Whax)
  • Priority changed from Normal to Elevated
  • Target version deleted (2016)

#11 Updated by intrigeri over 2 years ago

  • Starter changed from Yes to No

#12 Updated by anonym about 2 years ago

little-snitch is being re-implemented for linux: https://github.com/evilsocket/opensnitch

#13 Updated by u over 1 year ago

Also available in: Atom PDF