Disabling Control Port Filter Proxy in Whonix?

Hello All,

In the interest of added security, I followed the instructions in the Advanced Security Guide to disable CPFP. I did the “ps aux” check and it looked o.k… Also, as I see Whonixcheck on Workstation stopped performing the Tor bootstrap test, as expected.

Now that I’ve disabled CPFP, the Advanced Security Guide says “You will receive helpful notifications when Tor is not fully bootstrapped anymore by multiple tools that come with Whonix”. My question is what are the “tools” that will send those notices? Also, when I’m using Tor in Workstation, is there anything I can see with my own eyes that would indicate a problem with bootstrapping (i.e. some kind of visible indication)?

Thanks.

Now that I've disabled CPFP, the Advanced Security Guide says "You will receive helpful notifications when Tor is not fully bootstrapped anymore by multiple tools that come with Whonix". My question is what are the "tools" that will send those notices?
I fixed that sentence: https://www.whonix.org/wiki/Advanced_Security_Guide#Disable_Control_Port_Filter_Proxy
Also, when I'm using Tor in Workstation, is there anything I can see with my own eyes that would indicate a problem with bootstrapping (i.e. some kind of visible indication)?
You're not supposed to use Tor in the Workstation.

If you mean Tor Browser, don’t just write “Tor”. And no, you cannot. It either works (connections possible) or not.

It sounds like by disabling CPFP I just made my security worse because I WILL NOT get helpful messages when Tor is not fully bootstrapped?

Sorry Patrick, could you clarify, as I must be not be understanding this correctly.

Are you sure you know that “Tor bootstrap” refers to? A bulky, technical term perhaps. It’s “Tor connecting xx percent…”, “Tor not connected”, “Tor connected”. That’s all. It’s not about “secure”, “not secure”, “anonymous”, “not anonymous”. Not knowing the bootstrap status lead to less usability. I don’t see how it relates to security.

You’ll find out that Tor is not bootstrapped when you’re unable to connect. The only case were it lightly relates to security is if you care about a long running server or download. But for monitoring these cases, any other test/notification of your own would do.

Thanks Patrick. You’re correct I did not fully understand what Tor bootstrap meant :slight_smile:

My remaining questions-

  • what is the benefit of disabling CPFP?
  • are there any instructions available to “undo” all the steps I took to disable CPFP, so I can have CPFP fully enabled again? I looked at the steps and I can see some are easy to revert, but others are not clear how to revert.

My primary concern is the long running download scenario you mentioned. If you could suggest how to set up my own notifications for this scenario, that would be fine also, so I wouldn’t have to bother trying to re-enable CPFP.

- what is the benefit of disabling CPFP?
Lower attack surface.
- are there any instructions available to "undo" all the steps I took to disable CPFP, so I can have CPFP fully enabled again?
Not in detail. That's why it's for advanced users. Those should know how to undo such stuff. You re-enable it again and then see if it's working again. Or import new images.
If you could suggest how to set up my own notifications for this scenario
Not in detail. That's why it's for advanced users. Run whonixcheck multiple times. Interpret the Tor SocksPort test result. Write your own connection checks.

These are the 2 Whonix Gateway steps I have no idea how to UNDO. Any help on these would be appreciated:

  1. Disable autostart of CPFP: sudo systemctl mask control-port-filter-proxy-python

  2. Add the following content to /etc/whonix.d/50_user: whonixcheck_skip_functions+=" check_control_port_filter_running "

These are the 2 Whonix Workstation steps I have no idea how to UNDO. Any help on these would be appreciated:

  1. Add the following content to /etc/whonix.d/50_user: whonixcheck_skip_functions+=" check_tor_bootstrap "

  2. Deactivate sdwdate-plugin-anon-shared-con-check by adding following content to /etc/sdwdate.d/50_anon_dist_con_check_plugin_user: DISPATCH_PREREQUISITE=""

This is a Whonix Gateway step I think I can undo. Anyone please let me know if I’m wrong about this:

  1. Add the following content to /etc/whonix_firewall.d/50_user: CONTROL_PORT_FILTER_PROXY_ENABLE=0
    Undo by changing “ENABLE=0” to “ENABLE=1”

Thanks.

1. Disable autostart of CPFP: sudo systemctl mask control-port-filter-proxy-python
You put into a search engine: mask systemctl mask
2. Add the following content to /etc/whonix.d/50_user: whonixcheck_skip_functions+=" check_control_port_filter_running "
1. Add the following content to /etc/whonix.d/50_user: whonixcheck_skip_functions+=" check_tor_bootstrap "
2. Deactivate sdwdate-plugin-anon-shared-con-check by adding following content to /etc/sdwdate.d/50_anon_dist_con_check_plugin_user: DISPATCH_PREREQUISITE=""
1. Add the following content to /etc/whonix_firewall.d/50_user:
You remove that setting or whole file (if no other user specific setting in there).

I did all the steps to re-enable CPFP, but I’m not sure if I was successful.

When I run ps aux in Whonix Gateway I don’t see /bin/bash/ /usr/bin/controlportfilt, but I do see /usr/bin/python /usr/sbin/cpfpd start.

When Whonixcheck runs on Gateway and Workstation I see a successful check of the Tor Browser bootstrap in both cases, so I think I’m o.k.?

Yes.