search

freedomofpress / securedrop-docs

Documentation for the SecureDrop project
https://docs.securedrop.org/
Other
22 stars 26 forks source link

restrict Tor allow-rules to WAN-outbound traffic only #520

Open torinthiel opened 10 months ago

torinthiel commented 10 months ago

Expected behavior

Firewall rules are not redundant and as tight as possible.

Actual behavior

The rules for OPNSense firewall, App server network (interface OPT1) first block all traffic from OPT1 interface to LAN and OPT2 interface (rules 3 and 4 respectively), and later allow TCP traffic from OPT1 to all destinations (rule 5). Given that at this point the only remaining interface is WAN, and that OPNSense defaults to block unmatched traffic, wouldn't it be easier to drop rules 3 & 4 and tighten down rule 5 to only allow traffic to WAN interface? This would also help future-proofing in case of firewalls with more interfaces.

Additional information

There's a similar issue with OPT2 firewall rules.

cfm commented 8 months ago

In general, I think we've tried to make the firewall rules as explicit as they can be, so that it's possible to reason about their interactions at the interface level, without needing to recall the firewall's default behavior (or trust that it hasn't been changed).

However, I think you're right that we can further tighten the allow-rules for Tor to WAN-outbound traffic. I've retitled this ticket for this goal. Please let me know if I'm not fully responding to your suggestion here!