Noticed one incompatibility.
ZeroNet uses custom code rather than python-stem to talk to Tor control
protocol. It's line handling works with original Tor, but not with the
filter.
https://github.com/HelloZeroNet/ZeroNet/issues/756
Patrick Schleizer:
> Whonix has forked tor-controlport-filter by Tails.
>
> https://github.com/Whonix/control-port-filter-python
>
> Whonix is using a different configuration parser.
Yay! Let's try to make this fork short-lived! Note that Tails' version has
changed quite a lot since you forked
Whonix has forked tor-controlport-filter by Tails.
https://github.com/Whonix/control-port-filter-python
Whonix is using a different configuration parser.
This is now documented in details here:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy/tor-controlport-filter/config
Best
Happy to report, that a few profiles have been successfully written.
That are using Whonix forked config parsing code.
They are now living here:
-
https://github.com/Whonix/control-port-filter-python/tree/master/usr/share/tor-controlport-filter/examples
There is one for onionshare, one for
Patrick Schleizer:
> anonym:
>> Patrick Schleizer:
>>> anonym:
>>> About the packaging. If you like the genmkfile way to package things, I
>>> could also do the packaging. Only disadvantage would be an extra
>>> dependency on genmkfile.
>>>
>>> https://github.com/Whonix/control-port-filter-python
Hi,
it's now packaged and lintian pedantic clean. The package should be
generic (work in Whonix and Tails at the same time) for the most part.
The missing part is Tails' config files. Since I don't know if you want
to actually use that package, I skipped Tails' config files and just
dropped
anonym:
> Patrick Schleizer:
>> anonym:
>>> Patrick Schleizer:
Where I need to correct myself. The injected IP is probably difficult to
add to a config file since IPs in Qubes will remain dynamic for some
quite some time until Qubes 4.0. We'd need something like this.
Patrick Schleizer:
> anonym:
>> Patrick Schleizer:
>>> Where I need to correct myself. The injected IP is probably difficult to
>>> add to a config file since IPs in Qubes will remain dynamic for some
>>> quite some time until Qubes 4.0. We'd need something like this.
>>>
>>> ADD_ONION:
>>>
anonym:
> Patrick Schleizer:
>> Where I need to correct myself. The injected IP is probably difficult to
>> add to a config file since IPs in Qubes will remain dynamic for some
>> quite some time until Qubes 4.0. We'd need something like this.
>>
>> ADD_ONION:
>> - pattern: 'NEW:BEST
Patrick Schleizer:
> Where I need to correct myself. The injected IP is probably difficult to
> add to a config file since IPs in Qubes will remain dynamic for some
> quite some time until Qubes 4.0. We'd need something like this.
>
> ADD_ONION:
> - pattern: 'NEW:BEST
anonym:
> Patrick Schleizer:
>> That crashes the filter for me.
>
> Argh, I meant:
>
> GETINFO:
> - pattern: 'net/listeners/socks'
> response:
> - pattern: '250-net/listeners/socks=".*"'
> replacement: '250-net/listeners/socks="127.0.0.1:9150"'
>
>
anonym:
> Patrick Schleizer:
- https://phabricator.whonix.org/T564
>>>
>>> I'd need more details of what the idea is here.
>>
>> Prevent (in case of some bug or compromise) that more than X hidden
>> services are created. The number of hidden service should be tracked. If
>> more than X are
Patrick Schleizer:
> That crashes the filter for me.
Argh, I meant:
GETINFO:
- pattern: 'net/listeners/socks'
response:
- pattern: '250-net/listeners/socks=".*"'
replacement: '250-net/listeners/socks="127.0.0.1:9150"'
(Notice the removed "-" in front of
anonym:
> Patrick Schleizer:
>> Hi there,
>>
>> sorry for the delay, I got side tracked with other stuff.
>>
>> My first and summary impression is, that this is looking excellent!
>
> \o/
>
>> ./tor-controlport-filter --listen-address 9052
>> Tor control port filter started, listening on
anonym:
> Patrick Schleizer:
>> - https://phabricator.whonix.org/T564
Protecting cpfpy from DDOS from client applications. Not sure that
matters for Tails?
>>>
>>> We do not do much specific here. What kind of DoS are you talking about
>>> here? Eating up all RAM or crashing the
Patrick Schleizer:
> anonym:
>> https://tails.boum.org/news/report_2016_09/#index2h1
>>
>> and look at the documentation at the top of the script, and the filter
>> rules we ship to get an idea of what it can do.
>
>> As you can see, in Tails we use match-exe-paths and match-users a lot,
>>
Patrick Schleizer:
>>> - https://phabricator.whonix.org/T564
>>
>> I'd need more details of what the idea is here.
>
> Prevent (in case of some bug or compromise) that more than X hidden
> services are created. The number of hidden service should be tracked. If
> more than X are created, requests
Patrick Schleizer:
> Hi there,
>
> sorry for the delay, I got side tracked with other stuff.
>
> My first and summary impression is, that this is looking excellent!
\o/
> ./tor-controlport-filter --listen-address 9052
> Tor control port filter started, listening on 9052:9051
>
> Do you see
anonym:
> https://tails.boum.org/news/report_2016_09/#index2h1
>
> and look at the documentation at the top of the script, and the filter
> rules we ship to get an idea of what it can do.
> As you can see, in Tails we use match-exe-paths and match-users a lot,
> but since you won't have
> [...]
>> In conclusion, I think the truth is that Whonix switching to our filter
>> will require some work to reach feature-parity with you current filter,
>> and you will not really gain anything by doing so except code sharing.
>> YMMV. That said, I'd happily implement match-hosts and the two
Hi there,
sorry for the delay, I got side tracked with other stuff.
My first and summary impression is, that this is looking excellent!
./tor-controlport-filter --listen-address 9052
Tor control port filter started, listening on 9052:9051
Do you see any reason in Whonix not to use the
Hi,
maybe this discussion would be one of those that we should be having
on the deskt...@secure-os.org list?
I see that there was a thread about similar topics a few months ago:
https://secure-os.org/pipermail/desktops/2016-July/000128.html
Cheers,
--
intrigeri
Patrick Schleizer:
> Hi,
>
> as discussed elsewhere, yes, it would be great if we could share code bases!
Agreed, but we have to realize that at the moment Whonix and Tails run
these filters in quite different contexts and under different threat
models. Whonix runs the filter in a different VM
Hi,
as discussed elsewhere, yes, it would be great if we could share code bases!
Does it support simultaneous connections? (Such as two applications
using ephemeral Tor hidden services plus Tor Browser at once.)
Does Tails control port filter proxy support events? I mean, can a
client
24 matches
Mail list logo
