Hello everybody.
I am a Qubes user and I am writing on the forum because today I’ve played a bit with Corridor, following the documentation published on Whonix wiki.
Every thing seems to work very well. I did all the required tests and the results were those expected. First, I tried with an “untrusted” VM: traffic in clear was blocked - and logged by iptables - while Tor Browser was perfectly running. Then I set sys-corridor as NetVM for sys-whonix: again, everything was fine.
Anyway, I would like to ask a couple of clarifications.
- In the Whonix tutorial it is suggested to create a standalone ProxyVM for sys-corridor. I did it, and this worked for me. However, once I set up everything, I saw that rustybird’s suggestion was instead that of using a simple non-standalone ProxyVM for this scope.
In dom0:
qvm-create --proxy --template your-template --label blue corridor-gateway
qvm-service --enable corridor-gateway corridor
I’ve tried and tested also this option and everything seem to work fine as well. I was wondering if there are particular reasons (may be security related) for which Whonix suggests to use a standalone template.
-
In order to check if corridor was working or not, I’ve launched in sys-corridor the following commands.
sudo systemctl status corridor-data
sudo systemctl status corridor-init-forwarding
sudo systemctl status corridor-init-snat
sudo systemctl status corridor-init-logged
The outputs of the first three are fine (“Status active”), whereas the last one returns:
Aug 03 20:26:13 sys-corridor corridor-init-logged[705]: corridor_logged
updated.
Aug 03 20:26:13 sys-corridor systemd[1]: Started corridor’s logging.
Hint: Some lines were ellipsized, use -l to show in full.
user@sys-corridor:~$ sudo systemctl -l status corridor-init-logged
● corridor-init-logged.service - corridor’s logging
Loaded: loaded (/lib/systemd/system/corridor-init-logged.service;
enabled)
Drop-In: /lib/systemd/system/corridor-init-logged.service.d
└─qubes-service.conf, qubes.conf
Active: inactive (dead) since Wed 2016-08-03 20:26:13 IST; 51min ago
Process: 705 ExecStart=/usr/sbin/corridor-init-logged (code=exited,
status=0/SUCCESS)
Main PID: 705 (code=exited, status=0/SUCCESS)
Aug 03 20:26:13 sys-corridor corridor-init-logged[705]: corridor_logged
updated.
Aug 03 20:26:13 sys-corridor systemd[1]: Started corridor’s logging.
Why the status of this process is marked as “Inactive (dead)” ?
On rustybird documentation I read:
#Log attempted leaks from selected clients.
#This command will block until corridor_relays gets populated!
corridor-init-logged
But if I run
sudo ipset list corridor_relays
I can see that my corridor_relays is actually populated.
I am a bit confused about this.
Sorry in advance for the (likely) naive questions and thanks for your time.
minimal