Autor: adev Data: Para: The Tails public development discussion list Asunto: Re: [Tails-dev] Bridge Firewall Was: Re: VirtualBox host software
vs. networking [Was: Tails 0.14 rc1 virtualization testing & howto install
virtualbox and vmplayer]
> adev@???: >> I think since tails now supports bridges and obsproxy, then someone
>> one day may implement a hardened firewall cd that runs in front of
>> tails, and allows only traffic to the bridges the user has
>> specified
>>
>> This would stop an attacker from learning the tails machine real IP
>> even if they gained root on the machine, unless they could use a
>> *rare* exploit against iptables or pf on the firewall machine (or
>> some other attack) A multi machine setup may be less coding work
>> for developers than setting up virtualization, and be more secure
>
> What you describe, was sometimes called a bridge firewall. I
> considered creating something like this and put it in front of
> Whonix-Gateway. (To make a two machine system perhaps an optional
> three machine system.)
>
> Unfortunately, it turned out, that once the Tor process has been
> compromised, external IP is also compromised because Tor knows it.
>
> I documented this and a few other aspects of such a bridge firewall:
> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall > _______________________________________________
> tails-dev mailing list
> tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev >
Thanks for that important information. Looks like the tor bridge software
will reply back to the tor client with the IP used to connect to it(the
bridge) if asked nicely
I assume tor must need this for something otherwise they wouldn't have put
it in
