From 853c2eb37786b1f625d5b54a54cf16fc09e1b367 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 11 Jul 2019 15:26:14 +0000
Subject: [PATCH 1/3] Update control

---
 debian/control | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/debian/control b/debian/control
index 5b7c8ee..3e0b115 100644
--- a/debian/control
+++ b/debian/control
@@ -100,6 +100,44 @@ Description: enhances misc security settings
  Uncommon network protocols are blacklisted as they are rarely used and
  may have unknown vulnerabilities.
  .
+ The network protocols that are blacklisted are
+ .
+ * DCCP - Datagram Congestion Control Protocol
+ .
+ * SCTP - Stream Control Transmission Protocol
+ .
+ * RDS - Reliable Datagram Sockets
+ .
+ * TIPC - Transparent Inter-process Communication
+ .
+ * HDLC - High-Level Data Link Control
+ .
+ * AX25 - Amateur X.25
+ .
+ * NetRom
+ .
+ * X25
+ .
+ * ROSE
+ .
+ * DECnet
+ .
+ * Econet
+ .
+ * af_802154 - IEEE 802.15.4
+ .
+ * IPX - Internetwork Packet Exchange
+ .
+ * AppleTalk
+ .
+ * PSNAP - Subnetwork Access Protocol
+ .
+ * p8023 - Novell raw IEEE 802.3
+ .
+ * LLC - IEEE 802.2
+ .
+ * p8022 - IEEE 802.2
+ .
  The kernel logs are restricted to root only.
  .
  A systemd service clears System.map on boot as these contain kernel symbols

From b63d4ccb41d6c4942faa8ec5e2b8de8cffacd03e Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 11 Jul 2019 15:28:56 +0000
Subject: [PATCH 2/3] Update uncommon-network-protocols.conf

---
 etc/modprobe.d/uncommon-network-protocols.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf
index 6bbc37d..008e207 100644
--- a/etc/modprobe.d/uncommon-network-protocols.conf
+++ b/etc/modprobe.d/uncommon-network-protocols.conf
@@ -1,4 +1,11 @@
 # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+#
+# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+# 
+# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+#
+# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
+#
 install dccp /bin/true
 install sctp /bin/true
 install rds /bin/true

From 1aee08fa5e46cbd9439c36df9bcbb7a513270e1b Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 11 Jul 2019 15:30:09 +0000
Subject: [PATCH 3/3] Update control

---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 3e0b115..71af9ba 100644
--- a/debian/control
+++ b/debian/control
@@ -97,7 +97,7 @@ Description: enhances misc security settings
  .
  All mitigations for the MDS vulnerability are enabled.
  .
- Uncommon network protocols are blacklisted as they are rarely used and
+ Uncommon network protocols are blacklisted in /etc/modprobe.d/uncommon-network-protocols.conf as they are rarely used and
  may have unknown vulnerabilities.
  .
  The network protocols that are blacklisted are