Re: [Tails-dev] Tails control port filter proxy in Whonix?

Delete this message

Reply to this message
Autore: anonym
Data:  
To: The Tails public development discussion list
CC: michael, Patrick Schleizer
Oggetto: Re: [Tails-dev] Tails control port filter proxy in Whonix?
anonym:
> This is how I imagine the onionshare filter configuration Whonix
> needs would look like:
>
>     - match-hosts:
>         - '10.1.1.42'
>       commands:
>         GETINFO:
>           - 'version'
>           - 'onions/current'
>           - pattern:  'net/listeners/socks'
>             response: '250-net/listeners/socks="127.0.0.1:9150"'
>         GETCONF:
>           - '__owningcontrollerprocess'
>         ADD_ONION:
>           - pattern:     'NEW:BEST Port=80,(176\d\d)'
>             replacement: 'NEW:BEST Port=80,10.137.6.41:{}'
>         DEL_ONION:
>           - '.+'
>       events:
>         SIGNAL:
>           suppress: true
>         CONF_CHANGED:
>           suppress: true
>         HS_DESC:


I've pushed some improvements, in particular for making the rewriting
system more general; now we can rewrite commands before they are sent,
rewrite responses from commands (even a rewritten one!), and rewrite
received events. Because of this the profile above needs a slight
adjustment (the only change is for `GETINFO net/listeners/socks`):

    - match-hosts:
        - '10.1.1.42'
      commands:
        GETINFO:
          - 'version'
          - 'onions/current'
          - pattern:  'net/listeners/socks'
            response:
              - pattern:     '.*'
                replacement: '250-net/listeners/socks="127.0.0.1:9150"'
        ADD_ONION:
          - pattern:     'NEW:BEST Port=80,(176([0-4][0-]|50))'
            replacement: 'NEW:BEST Port=80,10.137.6.41:{}'
        DEL_ONION:
          - '.+'
      confs:
        __owningcontrollerprocess:
      events:
        SIGNAL:
          suppress: true
        CONF_CHANGED:
          suppress: true
        HS_DESC:


... in case you want to test it in Whonix. :)

To highlight the possibilities of the rewriting system, we now allow
rules like this to fool an application about what hosts are connected to
through tor:

      commands:
        GETINFO:
          - pattern: 'stream-status'
            response:
              - pattern:     '(.*)whonix\.org(.*)'
                replacement: '{}tails.boum.org{}'
              - pattern:     '(.*)tails\.boum\.org(.*)'
                replacement: '{}whonix.org{}'
      events:
        STREAM:
          response:
            [ Same two (pattern, replacement)-pairs as above ]


Only one replacement will ever be done on the same string, and the
matching is done from top to bottom, as defined in the configuration
file. With the empty string as `replacement`, the matched response would
simply be dropped instead. If we replace the above (pattern,
replacement)-pairs with only:

    pattern:     '(\d+ STREAM \d+ \S+ \d+) [^:]+:(.+)'
    replacement: '{} tails.boum.org:{}'


we fool the application where all tor streams go. The question is,
however, whether this is a useful feature at all. :)

Cheers!