That mechanism could be “abused” to comfortably launch any program into
the background on boot and have it terminated at shutdown.
looking into it, why not make it parse the /etc/anon-ws-disable-stacked-tor.d like whonix_firewall does ? (so we need only to add the port number to that config file) ? I don’t mind "abusing"it though. Your call
Is there a Version file for Whonix inside the Template and Appvm ?
I guess anon-ws-disable-stacked-tor.service should not be run in TemplateVMs.
Sorry I meant a file where I can see what Whonix Version the script is run.
Haven’t found anything in etc/
Not sure what you mean. The markup is sometimes broken such as bold and
code? That is indeed sometimes annoying. I did not check yet if there
already is an discourse upstream bug report.
I was able to mark text and then there would be a popup where i could select that text as quote.This is somehow missing. (I have tested with noscript disabled and two different browsers.
iceweasel on Whonix-Gateway should be only capable to visit localhost by
default - because there is no DNS access / no system default
networking. However, if a user would enable transparent proxying for
Whonix-Gateway itself ( Whonix-Gateway Traffic: Transparent Proxying ) then the user could connect anywhere.
ah ok , thanks for the info , going to test that.
It is possible using iptables. I would not mind a localhost-only user on Whonix-Gateway.
/etc/whonix_firewall.d is for sourceing a configuration snippets.
/etc/anon-ws-disable-stacked-tor.d works differently. Is for appending of commands to be launched into the background only. [Additional port redirections.]
I thought the need to express things like:
“Oh, I don’t want Whonix-Worksstation 127.0.0.1:9050 to be redirected to Whonix-Gateway. I want to add a snippet to disable that.”
…Would be very rare if ever existing. Would would make the configuration file and script a lot more complex.
It’s like /etc/grub.d, /etc/default/grub.d, /etc/profile.d, /etc/qubes/protected-files.d. They all work a bit differently. They don’t all let you easily overrule anything. Sometimes it is append only.
I had in mind: a socat command to redirect some port required for i2p from the workstation to the gateway.
If you need a redirected port, please tell me some port you need redirected and I can show an example.
It’s fine. If it gets “abused” I make that a generic package not tied to port redirection.
If you need a redirected port, please tell me some port you need redirected and I can show an example.
If you need a redirected port, please tell me some port you need redirected and I can show an example.
Create [and later ship in anon-ws-i2p-router-config package] a file /etc/anon-ws-disable-stacked-tor/40_anon-ws-i2p-router-config.conf with the following contents:
Will the port numbers for custom created service tunnels need to be added here also?
If you create one , yes , I’m thinking about shrinking that list as not all ports are needed or make the user choose what he wants . (eg. all ports , just http and mail , custom selection…)
What do you think about that?
Create [and later ship in anon-ws-i2p-router-config package] a file /etc/anon-ws-disable-stacked-tor/40_anon-ws-i2p-router-config.conf with the following contents:
Either explicitly…
ah , i get it thanks , reminds me to rename the current scripts…
The problem with any caching proxy between TBB and I2P is it destroys the anti-fingerprinting benefits of Tor Browser. So foxyproxy is the best option.
The problem with any caching proxy between TBB and I2P is it destroys the anti-fingerprinting benefits of Tor Browser. So foxyproxy is the best option.
Is there a site/test where i can test that because I think TransI2P wouldn’t destroy those benefits.
Another benefit of foxyproxy is its extensible. It allows access for many other networks/programs and that are inaccessible with TBB otherwise.
EDIT:
@goldstein
Another important thing: Fingerprint sites cannot detect the lack of stream circuit isolation though this is a huge thing and makes the network behavior of affected TBB instances different than normal ones.
Another benefit of foxyproxy is its extensible. It allows access for many other networks/programs and that are inaccessible with TBB otherwise.
True, I’m not dropping foxyproxy just looking for an alternative/fallback.
Edit:
Another important thing: Fingerprint sites cannot detect the lack of stream circuit isolation though this is a huge thing and makes the network behavior of affected TBB instances different than normal ones.
For Tor this may matter , for I2P it’s doesn’t.(I will keep that in mind though).
In the End the User should decide what kind of setup he prefers:
ex. Easy/Beginner Mode: Tor and I2P with Foxyproxy TBB etc…, advanced mode : I2P + VPN or I2P only and everything else dropped…
Can you get me up to speed please on that topic? What is foxyproxy being needed for at all? So urls typed into Tor Browser that end with .i2p are automatically redirected to i2p?
I don’t have a opinion on this topic yet.
One disadvantage of foxyproxy is, that it only works inside Tor Browser. Not for the whole system, but I do not know if this is relevant.
i2p as far I know does not use stream isolation.
( Sign in · GitLab )
Privoxy is not a caching proxy. (source: Miscellaneous)
(I am not even sure privoxy does filtering by default.)
(Traffic flows still through it and I dunno if that does mess up something.)
Perhaps worth a different thread. Perhaps a separate wiki page called Privoxy?
http2socks is a useful feature that Privoxy has. Worth documenting?
The Tor Browser page could also use a stub recommending against Privoxy. TPO used to use recommend Privoxy in past but that is long time ago. Nowadays seldom anyone gets the idea of combining Tor with Privoxy. Generally a good idea to recommend to ask/research if certain modifications such as adding Privoxy to the mix is a sane idea rather than assuming it can only do things better perhaps worth adding to the Warning page or elsewhere.
Yes. All of these modes are interesting. Which end up being implemented / supported is up to the maintainers such as you implementing this one.
The point of using foxyproxy is that its able to force localhost access in Tor Browser (which blocks that by default) and redirect domain names to multiple proxies at the same time - something plain iceweasel can’t do on its own. In summary - combine proxies with TBB’s fingerprinting defenses.
You don’t need foxyproxy for other programs to communicate with I2P on the WS. You simply set them to localhost and the port number to the one you assigned in the I2P tunnel settings.
For I2P on the GW you would use socat to redirect WS traffic to its respective tunnel port just as you would on the WS.
I’ll also add that I2P doesn’t have a dedicated TransProxy AFAIK. Any other applications besides web-browsing would need you to pick out a supporting tunnel transport type to be able to move a given program’s packets.
The only use case I can think of is to create some foolproof intranet infrastructure where services are hosted using Tor/I2P or to create some kiosk mode - assuming your users are completely clueless.
The closest thing is the SAM Bridge which seems application agnostic.
TransI2P uses the SAM Bridge.
I’ll also add that I2P doesn’t have a dedicated TransProxy AFAIK. Any other applications besides web-browsing would need you to pick out a supporting tunnel transport type to be able to move a given program’s packets
On the GW TransI2P can implement a whitelist feature that only allows localhost access so users don’t accidentally open eepsites there. IDK if all port ranges for 127.0.0.1 can be left open though.