29/10/12 19:54, [email protected] wrote:

>>   IIRC, VirtualBox host software sets iptables/netfilter up in a way
>>   that makes the guest system bypass the existing firewall / or be
>>   blocked by it, so some care should be taken on this side.
> 
> One idea is to use host-only networking in the virtualbox guest, and the
> apps in the guest can connect to appropriate socks-port(s) on the hosts
> host-only adapter

Sure, a host-only adapter probably make this easier than the bridged
setup described in the link.

> Bridge mode is the problem, it would be worth checking if the amnesia user
> can leverage the virtualbox bridge kernel module/driver to bypass tor.
> This would violate tails design because currently the amnesia user is not
> allowed direct internet access.

This is interesting and certainly needs to be investigated further
(added to todo item). My initial testing shows that, indeed, bridged
adapters bypass the host's firewall.

> Bridge mode and NAT support could simply be left out alltogether from
> tails, any drivers deleted/not-installed

Allowing NAT is at least not a leaking-related problem since the NAT:ed
traffic appears "normally" in the host OS, so in Tails it will be caught
by the firewall.

> If the kernel modules for bridge and NAT adapters is left out of tails,
> that would leave only the host-only networking adapter.

vboxnetflt is used for bridged adapters, but host-only adapters requries
*both* vboxnetadp and vboxnetflt to be loaded.


_______________________________________________
tails-dev mailing list
[email protected]
https://mailman.boum.org/listinfo/tails-dev

Reply via email to