Control Port Filter Proxy Python (cpfpy) / anon-ws-disable-stacked-tor

systemd unit: removed ‘’ from ‘After=’ to fix lintian warning ‘W: control-port-filter-python: systemd-service-file-refers-to-obsolete-target lib/systemd/system/control-port-filter-python.service’ - Whonix Forum

StandardOutput=syslog StandardError=syslog
Wondering, do we have any reason for using that?

Pushed your commits to troubadoour.

Wondering, do we have any reason for using that?
No special reason, it was taken from a generic unit file. It does not seem to write anything to syslog.

systemd unit: removed ‘StandardOutput=syslog’ and ‘StandardError=syslog’ as per Whonix Forum


Removed argument parsing (start / stop / restart) in cpfpd, as it’s managed by systemd.
remove argument parsing, done in daemon/systemd · troubadoour/control-port-filter-python@3c1f475 · GitHub


workaround for ‘dh_installinit should run systemd-tmpfiles if a /usr/lib/tmpfiles.d/ snippet gets shipped for systemd-only packages also’ -

(Similar to this change: Whonix Forum)


Tested. Works fine. Merged. And closed the ticket.
( ⚓ T445 CONTROL_PORT_FILTER_WHITELIST wildcard feature )

Added some minor commits on top. Please review and merge.

Added the following to the config.



Then run the following on a Qubes-Whonix-Gateway.

tor-prompt -i

Did not work.

Unable to authenticate: All lines should end with CRLF

Could this be a more general error? Should we end lines with CRLF?

(What I really was doing was trying multi lined commands in context of research control port filter proxy whiltelist wildcard security implications.)

End lines with CRLF now.

Since GitHub - Whonix/anon-ws-disable-stacked-tor functionality interacts with, I am also discussing anon-ws-disable-stacked-tor here.

( Dev/anon-ws-disable-stacked-tor - Whonix also needs an update. )

Also help wanted with Control Port Filter Proxy Python (cpfpy)! See:

(Tor control protocol)

The default anon-ws-disable-stacked-tor config file should explain most of what anon-ws-disable-stacked-tor does.

anon-ws-disable-stacked-tor/30_anon-dist.conf at master · Whonix/anon-ws-disable-stacked-tor · GitHub

Now it is almost possible for python-stem based applications to do Tor Control Auth Cookie authentication. One small piece for this is still missing.

We would have to whitelist protocolinfo 1 by default also. It would answer (and relay back to the workstation):

250-AUTH METHODS=COOKIE,SAFECOOKIE COOKIEFILE="/var/run/tor/control.authcookie"
250-VERSION Tor=""
250 OK

Does that look alright? Should we whitelist protoclinfo? Or does anything speak against this? If so, we could implement a hardcoded, fake answer, another “lie”.

Using as a reference - its ok to whitelist protocolinfo however their filter lies about the supported authentication types.

1 Like


Has a bug, ought to re-add sock.close(). Unless…