Re: [tor-talk] obfs4proxy and ports < 1024
I just took a look at availability of FreeBSD Live ports - not mainstream, you say, although I think there are inherent advantages to running live systems (in part implied in why TAILS opts to be so by definition - my own pref is to exceed this and run the live boot image without ever installing it, making it continuous at each boot without being affected by usage, and capable of being reestablished and redeployed rapidly in case of failure). GhostBSD is one example, Frenzy is another. The latter, pondering defunctness, also illustrates another problem with distros in general, and the Linux road is littered with abandoned attempts, distros that are no longer supported, and so on. Repo operating systems need Repo support, and a constant user base that includes its developers. I also took a look at the Tor/Tor Browser Bundle issue with regard to BSD, where I see many have issues using the two together, as if Linux in this regard did not presenr enough. I have just had month after month of problems with Tor implementation - though not with the simple act of running Tor per se. I feel TBB is also superior, and would like to run Tor as a daemon from it, which no one seems to be doing. Many of the security issues derive from online operation - withness the kerfuffle over DNS leaks - rather than OS kernel security itself (most pertinent to containment, in my view). The problem for me with Tor, as what should be one arm in a repertoire of secure systems that are largely unimplemented by default in most - and most security - OS's - is the potential lack of security or anonymity of its exit nodes, to which Tor Ram Disk was supposed to offer a solution but is unimplemented. I became very tried of the work, and of the minefield of security advice, applications, and over-proliferation of problems associated with online security as a whole, including with regard to Tor. TAILS for me was a non-solution - rigid, not generally receptive to Debian's support for software, lacking VPN/I2P/Freenet support, over-committed to Tor alone, and what I felt was an awful front-end. I at least want to use an OS with a slick and approachable GUI. Fedora is now among the few OS's offering kernel hardening as a matter of course - and in my experience was riddled with bugs, despite being the apparent source for Redhat. Sent from ProtonMail, Swiss-based encrypted email. ‐‐‐ Original Message ‐‐‐ On March 25, 2018 3:52 PM, Georgewrote: > > > Wanderingnet: > > > I have considered it, as I explored various distros, most buggy and > > > > by no means secured out-of-the-box, in my view. But I have had such a > > > > nightmare experience working to any degree of satisfaction with > > > > Linux, I am reluctant to work on anything more stripped down. Alpine > > > > Linux was another option I looked at, for example, but there is no > > > > readily available Live CD - you have to build it yourself from > > > > command up (ideally from chroot, I think, to provide the basic > > > > packages and a desktop), then find a way to make a live distro from > > > > it. I remember looking at the BSD site and downloads and pondering on > > > > what I would have to do to get a working live boot...But I have been > > > > generally disappointed by the lack of an ideal secure OS ready to go > > > > with which I am happy. OS work has been put on the backseat for me > > > > for now :) I need a break from it. > > Jumping in late to the party... specifically from BSD-land. > > Keep in mind "stripped-down" is an individual's perspective. I think > > OpenBSD is very tight, and the kernel is rumored to shrink on occasion > > with releases. Yet by default, OpenBSD contains an httpd and smtp > > server, fvwm for X and other things one might consider "bloat." > > Live CDs aren't mainstream like they were ten or more years ago. > > Specifically with FreeBSD, you had FreeBSD tools like Freesbie alive and > > active. It's still in FreeBSD ports in sysutils, but I haven't used in a > > long time. NanoBSD is another simple build system for RAM-based systems, > > but I think most of the activity is/was around pfSense (which > > discontinued using it, I think) and for arm platform builds. > > Specifically look at Crochet for FreeBSD as another option. > > It seems most full system on USB/CD media systems are EOL'd at this point. > > It remains a relatively do-able task for any OS. Install to the media as > > a target, boot off it and configure as you desire. If you want something > > easier to maintain longer-term on OpenBSD, you might look at vnd(4) and > > vndconfig(8) manual pages. > > The issue remains there are so many different needs and preferences in > > such systems, a simple third-party download that is one-size-fits-all is > > unlikely. You'll notice that with systems that contains X managers, > > where it's all XFCE, or KDE, or whatever. A creators view of the ideal
Re: [tor-talk] obfs4proxy and ports < 1024
Wanderingnet: > I have considered it, as I explored various distros, most buggy and > by no means secured out-of-the-box, in my view. But I have had such a > nightmare experience working to any degree of satisfaction with > Linux, I am reluctant to work on anything more stripped down. Alpine > Linux was another option I looked at, for example, but there is no > readily available Live CD - you have to build it yourself from > command up (ideally from chroot, I think, to provide the basic > packages and a desktop), then find a way to make a live distro from > it. I remember looking at the BSD site and downloads and pondering on > what I would have to do to get a working live boot...But I have been > generally disappointed by the lack of an ideal secure OS ready to go > with which I am happy. OS work has been put on the backseat for me > for now :) I need a break from it. > Jumping in late to the party... specifically from BSD-land. Keep in mind "stripped-down" is an individual's perspective. I think OpenBSD is very tight, and the kernel is rumored to shrink on occasion with releases. Yet by default, OpenBSD contains an httpd and smtp server, fvwm for X and other things one might consider "bloat." Live CDs aren't mainstream like they were ten or more years ago. Specifically with FreeBSD, you had FreeBSD tools like Freesbie alive and active. It's still in FreeBSD ports in sysutils, but I haven't used in a long time. NanoBSD is another simple build system for RAM-based systems, but I think most of the activity is/was around pfSense (which discontinued using it, I think) and for arm platform builds. Specifically look at Crochet for FreeBSD as another option. It seems most full system on USB/CD media systems are EOL'd at this point. It remains a relatively do-able task for any OS. Install to the media as a target, boot off it and configure as you desire. If you want something easier to maintain longer-term on OpenBSD, you might look at vnd(4) and vndconfig(8) manual pages. The issue remains there are so many different needs and preferences in such systems, a simple third-party download that is one-size-fits-all is unlikely. You'll notice that with systems that contains X managers, where it's all XFCE, or KDE, or whatever. A creators view of the ideal set of utilities and packages rarely matches that of more than a few users. If it's really something you want, you should probably do it yourself. We (https://www.torbsd.org/) have weighed doing some sort of TAILS-like system for OpenBSD, but it's not in the cards in the near term. On that note, you might look at our wiki at https://wiki.torbsd.org/ for more relevant information. g > > Sent from ProtonMail, Swiss-based encrypted email. > > ‐‐‐ Original Message ‐‐‐ > > On March 18, 2018 6:56 PM, grarpampwrote: > >> >> >>> /etc/protocols >> >> No, that affects userland libraries, largely unrelated >> >> to the kernel. If some simple tool like netcat is kenel >> >> blocked from binding < 1024 as uid 0, then your Linux >> >> distro of the month has included some settings or security >> >> architecture / patch beyond kernel.org, or something in >> >> all those extra layers of abstraction has broken, which >> >> you need to learn then fix, set, or work around as needed. >> >> Or switch to FreeBSD for a more integrated leaner >> >> experience that just works as a whole. >> >> https://www.freebsd.org/ >> >> https://wikipedia.org/wiki/FreeBSD >> >> https://www.freebsdfoundation.org/ >> >> >> - >> >> >> tor-talk mailing list - tor-talk@lists.torproject.org >> >> To unsubscribe or change other settings go to >> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- 34A6 0A1F F8EF B465 866F F0C5 5D92 1FD1 ECF6 1682 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
I have considered it, as I explored various distros, most buggy and by no means secured out-of-the-box, in my view. But I have had such a nightmare experience working to any degree of satisfaction with Linux, I am reluctant to work on anything more stripped down. Alpine Linux was another option I looked at, for example, but there is no readily available Live CD - you have to build it yourself from command up (ideally from chroot, I think, to provide the basic packages and a desktop), then find a way to make a live distro from it. I remember looking at the BSD site and downloads and pondering on what I would have to do to get a working live boot...But I have been generally disappointed by the lack of an ideal secure OS ready to go with which I am happy. OS work has been put on the backseat for me for now :) I need a break from it. Sent from ProtonMail, Swiss-based encrypted email. ‐‐‐ Original Message ‐‐‐ On March 18, 2018 6:56 PM, grarpampwrote: > > > > /etc/protocols > > No, that affects userland libraries, largely unrelated > > to the kernel. If some simple tool like netcat is kenel > > blocked from binding < 1024 as uid 0, then your Linux > > distro of the month has included some settings or security > > architecture / patch beyond kernel.org, or something in > > all those extra layers of abstraction has broken, which > > you need to learn then fix, set, or work around as needed. > > Or switch to FreeBSD for a more integrated leaner > > experience that just works as a whole. > > https://www.freebsd.org/ > > https://wikipedia.org/wiki/FreeBSD > > https://www.freebsdfoundation.org/ > > > - > > tor-talk mailing list - tor-talk@lists.torproject.org > > To unsubscribe or change other settings go to > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
> /etc/protocols No, that affects userland libraries, largely unrelated to the kernel. If some simple tool like netcat is kenel blocked from binding < 1024 as uid 0, then your Linux distro of the month has included some settings or security architecture / patch beyond kernel.org, or something in all those extra layers of abstraction has broken, which you need to learn then fix, set, or work around as needed. Or switch to FreeBSD for a more integrated leaner experience that just works as a whole. https://www.freebsd.org/ https://wikipedia.org/wiki/FreeBSD https://www.freebsdfoundation.org/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
The IANA assignments/standard protocols per port are assigned in /etc/protocols - though no doubt you know that. Does changing the default assignments here help? Sent from ProtonMail, Swiss-based encrypted email. ‐‐‐ Original Message ‐‐‐ On March 11, 2018 1:23 PM, Udo van den Heuvelwrote: > > > On 11-03-18 14:16, kact...@gnu.org wrote: > > > \[2018-03-11 09:49\] Udo van den Heuvel udo...@xs4all.nl > > > > > On a new x86_64 firewall I notice that a freshly built obfs4proxy does > > > > > > not want to bind to a port below 1024 and becomes defunct. > > > > > > A port > 1024 works OK. > > > > > > How do I make things work for ports below 1024? > > > > Wild guess. You are aware, that port < 1024 are so-called privilleged > > > > ports, and require root to open (at least with Linux), do not you? > > I am aware of the difference. > > Things did work on the old (firewall) box. > > Things now appear different. > > User root starts the thing but of course the tor user is used for normal > > operation... > > Udo > > > > > tor-talk mailing list - tor-talk@lists.torproject.org > > To unsubscribe or change other settings go to > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
I did it this way: https://lorenzo.mile.si/2017/02/running-obfs4-tor-bridge-on-port-80-443/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
Forward with socat On March 11, 2018 8:49:26 AM UTC, Udo van den Heuvelwrote: >Hello, > >On a new x86_64 firewall I notice that a freshly built obfs4proxy does >not want to bind to a port below 1024 and becomes defunct. >A port > 1024 works OK. >How do I make things work for ports below 1024? >(this works OK on the 32-bit old firewall) > >Kind regards, >Udo >-- >tor-talk mailing list - tor-talk@lists.torproject.org >To unsubscribe or change other settings go to >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Take Care Sincerely flipchan layerprox dev -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
On 11-03-18 14:16, kact...@gnu.org wrote: > > [2018-03-11 09:49] Udo van den Heuvel>> On a new x86_64 firewall I notice that a freshly built obfs4proxy does >> not want to bind to a port below 1024 and becomes defunct. >> A port > 1024 works OK. >> How do I make things work for ports below 1024? > > Wild guess. You are aware, that port < 1024 are so-called privilleged > ports, and require root to open (at least with Linux), do not you? I am aware of the difference. Things did work on the old (firewall) box. Things now appear different. User root starts the thing but of course the tor user is used for normal operation... Udo -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] obfs4proxy and ports < 1024
[2018-03-11 09:49] Udo van den Heuvel> Hello, > > On a new x86_64 firewall I notice that a freshly built obfs4proxy does > not want to bind to a port below 1024 and becomes defunct. > A port > 1024 works OK. > How do I make things work for ports below 1024? Wild guess. You are aware, that port < 1024 are so-called privilleged ports, and require root to open (at least with Linux), do not you? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk