ban...@openmailbox.org writes: > * Whonix Gateway is a separate VM that forces all traffic thru any > anonymous network of choice > * Whonix Workstation - The untrusted VM where users run applications > configured with safe defaults that can only access the network via a > virtual isolated NIC connected only to Whonix Gateway. > > > For this to work with Freenet we need to make sure that: > > * Freenet on the the Gateway can be locked down preventing malicious > commands from affecting its configuration.
Freenet has a "public gateway" mode which limits the amount of changes the user can do to the Freenet instance. * Public gateway mode? (Only applies to allowed but non-full-access connections) Should we enable public gateway mode? For IPs which are allowed to access Freenet, but are not allowed full access, this option disables the download queue and anything else that might conceivably be abused to attack the Freenet node, while still allowing browsing freesites. They will also only see the default bookmarks, not your bookmarks. IP addresses with full access will be allowed to configure the node. You will still need to configure allowed addresses and bind address to get a true public gateway; you should do this after restarting. → http://127.0.0.1:8888/config/fproxy?fproxyAdvancedMode=2 * Hosts allowed full access IP addresses which are allowed full access to your Freenet node. Clients on these IPs may restart Freenet, reconfigure it, etc. Note that ALL clients are allowed to do direct disk I/O! → http://127.0.0.1:8888/config/fcp?fproxyAdvancedMode=2 > * A second Freenet instance in the Workstation is running in a dummy > mode thats used to run Freenet plugins/applications and connects via the > Gateway Freenet to make network requests while any data is cached only > on the workstation. Sounds good. You can either connect the second instance to the workstation via friend-to-friend mode (this won’t be very fast, though, since load balancing will give you only a fair fraction of the bandwidth of the gateway), or you can SSH-forward the FCP and web port of the gateway to the local system (this is what I do: Freenet runs on my homeserver and the local system only gets the ports via SSH). Then the applications can run on the local system (but plugins still run on the gateway). This is in my /etc/local.d/freenet-forward.start: su [user] -c "while true; do ssh -NL 8888:localhost:8888 -L 9481:localhost:9481 -L 8080:localhost:8080 -L 4025:localhost:4025 -L 4143:localhost:4143 [host] ; sleep 5; done &" → web-interface 8888, fcp 9481, FMS (forums) 8080, smtp 4025, imap 4143 To still restrict access when ssh forwarding, you can change the full access connections from 127.0.0.1 and 0:…:1 to 127.0.0.4 and 0:…:4 to block localhost, too, and only adjust dangerous settings by shutting down the node, editing freenet.ini and starting it up again. (though the additional security of this might be limited, see http://serverfault.com/a/752076/229575) → http://127.0.0.1:8888/config/fproxy?fproxyAdvancedMode=2 and http://127.0.0.1:8888/config/fcp In freenet.ini: fproxy.allowedHostsFullAccess=127.0.0.1,0:0:0:0:0:0:0:1 Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken
signature.asc
Description: PGP signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
