Hi,
adev@??? wrote (01 Nov 2012 17:55:42 GMT) :
>>>> IIRC, VirtualBox host software sets iptables/netfilter up in a way
>>>> that makes the guest system bypass the existing firewall / or be
>>>> blocked by it, so some care should be taken on this side.
>>>
>>> One idea is to use host-only networking in the virtualbox guest, and the
>>> apps in the guest can connect to appropriate socks-port(s) on the hosts
>>> host-only adapter
>>
>> Sure, a host-only adapter probably make this easier than the bridged
>> setup described in the link.
> And more secure
>>> Bridge mode is the problem, it would be worth checking if the amnesia
>>> user
>>> can leverage the virtualbox bridge kernel module/driver to bypass tor.
>>> This would violate tails design because currently the amnesia user is
>>> not
>>> allowed direct internet access.
>>
>> This is interesting and certainly needs to be investigated further
>> (added to todo item). My initial testing shows that, indeed, bridged
>> adapters bypass the host's firewall.
> I suspect that the answer is Yes, by default the amnesia user can use the
> bridge adapter to bypass the host firewall, unless we do something to stop
> this
>>> Bridge mode and NAT support could simply be left out alltogether from
>>> tails, any drivers deleted/not-installed
>>
>> Allowing NAT is at least not a leaking-related problem since the NAT:ed
>> traffic appears "normally" in the host OS, so in Tails it will be caught
>> by the firewall.
>>
>>> If the kernel modules for bridge and NAT adapters is left out of tails,
>>> that would leave only the host-only networking adapter.
>>
>> vboxnetflt is used for bridged adapters, but host-only adapters requries
>> *both* vboxnetadp and vboxnetflt to be loaded.
> That is unfortunate, I'm sure we'll think of some way to fix the problem
> though
I'd like to see todo/add_virtualbox_host_software move forward,
and I fear it's currently blocked due to needlessly high goals.
Assuming one can just delete these few networking drivers file to
disable network support altogether, without breaking anything else,
how about, as a first iteration, we ship VirtualBox host software
without networking support at all?
I think this would at least satisfy the "I want to use InDesign on
Windows on Tails to produce a leaflet" usecase, and at least be the
first step towards more involved usecases like the one adev had
in mind.
What do you think?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc