[email protected]: > I think since tails now supports bridges and obsproxy, then someone > one day may implement a hardened firewall cd that runs in front of > tails, and allows only traffic to the bridges the user has > specified > > This would stop an attacker from learning the tails machine real IP > even if they gained root on the machine, unless they could use a > *rare* exploit against iptables or pf on the firewall machine (or > some other attack) A multi machine setup may be less coding work > for developers than setting up virtualization, and be more secure
What you describe, was sometimes called a bridge firewall. I considered creating something like this and put it in front of Whonix-Gateway. (To make a two machine system perhaps an optional three machine system.) Unfortunately, it turned out, that once the Tor process has been compromised, external IP is also compromised because Tor knows it. I documented this and a few other aspects of such a bridge firewall: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
