Applications and Stream Isolation

Darian · July 14, 2016, 11:17am

If I installed the new application - Iceweasel or KVM and other, then I should manually change to configuration?
Why it does not work automatically?

Ego · July 14, 2016, 12:22pm

Good day,

Because every program needs specific settings and we are unable to Support every program by setting these by hand.

Have a nice day,

Ego

Darian · July 14, 2016, 4:40pm

1 program - 1 port and 1 Tor-way.

And no problems.

Ego · July 14, 2016, 5:23pm

Good day,

Sadly, Stream Isolation isn’t even close to being that simple. If you go through the procedure necessary to using a new program with it, you’ll notice this quite quickly.

Have a nice day,

Ego

Darian · July 15, 2016, 3:31pm

KVM no pre-configured?

Darian · July 15, 2016, 3:39pm

But it will work automatically in the future?

Patrick · July 15, 2016, 3:34pm

List of pre-configured applications:

Stream Isolation

KVM is not in the list. If it is not in the list, it is not pre-configured.

Patrick · July 15, 2016, 5:34pm

Unlikely.

assd · July 17, 2016, 12:35pm

Is it possible for Whonix to implement some kind of a proxy somewhere to randomly choose a fresh Tor socks port for each application/connection and/or implement blacklist/whitelist filtering feature for destination hostname/ip addresses

I can do all of these easily using 3proxy on a different system, but I didn’t try it on Whonix

This could greatly improve security/anonymity for many different use cases.

For example: Block all traffic except some hidden addresses - #8 by HulaHoop

Patrick · July 17, 2016, 5:06pm

For each connection might be possible but not advisable. Tor supports IsolateDestAddr and IsolateDestPort which we could enable on Tor’s TransPort. Reference:

Stream Isolation

The relevant sentence:

What are IsolateDestAddr and IsolateDestPort? You can learn about them in the Tor manual. See also tor-talk mailing list: Tor’s stream isolation features defaults. Usually, unless you know better, you are better off not using IsolateDestAddr or IsolateDestPort.

For each application would be great but I don’t see how it could be done all pre-configured by default.

assd · July 17, 2016, 5:15pm

I’m already using it outside Whonix, it’s very simple. You provide a list of ports for a rule and 3proxy does the rest when connections start coming in. And it is not necessarily for every connection, you can decide what you want to do with the connection depending on the source port or other filters and could add some whitelist/blacklisting at the same time. For example blocking advertisement hostnames from an application/port or whitelisting an application/port to only use certain destination ip/host/port/protocols and block the rest

Darian · July 18, 2016, 9:04am

Nest Virtualization a better and safer.
Second guest - VPN.
Host - VPN.
First guest - Whonix - Tor