Re: [Tails-dev] Tails control port filter proxy in Whonix?

Delete this message

Reply to this message
Autor: anonym
Data:  
A: The Tails public development discussion list
CC: michael, Patrick Schleizer
Assumpte: Re: [Tails-dev] Tails control port filter proxy in Whonix?
anonym:
> Patrick Schleizer:
>> Hi,
>>
>> as discussed elsewhere, yes, it would be great if we could share code bases!


I got excited about doing some coding, so now we're closer to being able
to do this! Still, don't feel bad if you in the end decide *not* to use
our filter. :)

[...]
>> - Honors signals sigterm, sigint, keyboard interrupt.
>
> I guess?


Now it definitely does.

[...]
> In conclusion, I think the truth is that Whonix switching to our filter
> will require some work to reach feature-parity with you current filter,
> and you will not really gain anything by doing so except code sharing.
> YMMV. That said, I'd happily implement match-hosts and the two
> additional types of rules I mentioned above if that would be enough for you.


I actually went ahead and implemented these, and I've successfully been
able to run a client on a different host than the filter, like in
Whonix. This is how I imagine the onionshare filter configuration Whonix
needs would look like:

    - match-hosts:
        - '10.1.1.42'
      commands:
        GETINFO:
          - 'version'
          - 'onions/current'
          - pattern:  'net/listeners/socks'
            response: '250-net/listeners/socks="127.0.0.1:9150"'
        GETCONF:
          - '__owningcontrollerprocess'
        ADD_ONION:
          - pattern:     'NEW:BEST Port=80,(176\d\d)'
            replacement: 'NEW:BEST Port=80,10.137.6.41:{}'
        DEL_ONION:
          - '.+'
      events:
        SIGNAL:
          suppress: true
        CONF_CHANGED:
          suppress: true
        HS_DESC:


If you need help deciphering the above I refer you to the "docs":


http://git.tails.boum.org/tails/tree/config/chroot_local-includes/usr/local/lib/tor-controlport-filter?h=feature/7870-include_onionshare

Thoughts about the configuration format are highly welcome (but I doubt
I'd like to move away from YAML)!

It would be interesting to see if this works for you in Whonix. You
definitely will have to look at the --listen-address option (0.0.0.0 or
the address the gateway connects to), and maybe the
--control-cookie-path and --control-socket-path options (yes, the filter
requires a cookie protected Tor ControlSoket for now -- patches welcome
for other modes!).

> Still, I feel we've left out roflcoptor from this discussion. At the
> moment the biggest turn-off for me is that it is written in Go, a
> language I have little interest in learning, and the lack of Debian
> packaging. I'm not sure what else to say, but it just feels like there
> needs to be a discussion before we'd proceed in collaborating on a
> control port filter.


I've now seen that you raised similar concerns a bit earlier in the
thread, so perhaps that is good enough for dismissing roflcoptor (at
least for now) without feeling too bad due to NIH syndrome.

I don't know if/how we should proceed, but here's what I think of the
remaining (according to an earlier email in the thread) tickets you have
for this in Whonix vs. our filter:

> - https://phabricator.whonix.org/T561


Orthogonal to the filter, so skipped.

> - https://phabricator.whonix.org/T562


Solved!

> - https://phabricator.whonix.org/T564


I'd need more details of what the idea is here.

Any way, it seems that if one is careful when writing the rules for
ADD_ONION, one can limit the number simply by making sure there's that
number of possible matches of [host:]ports. E.g. the above filter for
onionshare can at most allow 100 ports. Solved?

> - https://phabricator.whonix.org/T565


I'd need more details of what the idea is here.

> - https://phabricator.whonix.org/T566


Like I said, this should be easy. Patches welcome! :)

---

Let me end with: if you test our filter in Whonix, and decide it's the
way to go, then I'll try to do the Debian packaging unless someone wants
to contribute it!

Cheers!