From owner-freebsd-hackers@freebsd.org Tue Dec 11 16:55:34 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B90631337E31 for ; Tue, 11 Dec 2018 16:55:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D525F8059D for ; Tue, 11 Dec 2018 16:55:33 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wr1-x42e.google.com with SMTP id x10so14821748wrs.8 for ; Tue, 11 Dec 2018 08:55:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=0aElMd4RGfclfBOQuXTYBKjX5LwmM/t+0NLrK/rXIs4=; b=ilke02go2UqyG4XanaYBixrb4N5u2yfQ+9I/G8elazDoINuxD7TpLleHY9c/Lkcb3x sZw32JoWGzx9kbY+irC3Fn0ZrHUjvqXk9luUwXbZQUeEqlqvvcvp7gEoN6vhfN8L6iqN Jh0iaiNha3ssKz/yzARYKRmfknfg7zBDJhk6WLYPr0MCQ6SN8Xw0Z5KgLD4esrOkU1qk 7MQvUz3qHdGI/mTdh8VQG3435rjMP1XLdpsfqM8b4MhpIlkSopO+FUyzPjV+C99Amsf+ Y+Ru5ObHlzrupQHy+uNv+++iBAUaOv949ubU0GjD9JQ5vCfBAHPL5zpGptydCTijHfET AR+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=0aElMd4RGfclfBOQuXTYBKjX5LwmM/t+0NLrK/rXIs4=; b=Cjw/dqX1IyYLWeX4IKwIfC/cqZ3xEA3rePe34A73rn5fNL573ubUDbDj/hTO1Bc+/5 6KzB+Frnchigj9fjxQilS+4ZcCVcnDJkL3EZtiKYG/SShy1FRKU00lMBAAgrY9HZXzkX szRXnHWcYMgiRDPO8ca6zxzrC3vrPp+4cQt8evTX4pQpJVcFcg6+y128s7NwqEY1Ht6l xZezQO39XAhP+mZgqPGBbQI0+PGSPjrbo2nWs5mjKMC/52iaYvXYV0831LB6lBVoJHd+ s2yMnUU9jZcKKIQYMMup4222GUQvuWMyv/Hsy9sp3Ia5GQRuTJaHZZYKo1YJXPDTEuhJ OLxg== X-Gm-Message-State: AA+aEWaiZvKSCxMFLBTYT7E35X1WhR1VoEFoZMKB611yeVKF2e68HCIZ lxtgoP20iWvipKJoFnAKlZ0eGQ== X-Google-Smtp-Source: AFSGD/VQ/FK4ZNauj1iIN24LL/EmSkC7WZ4cXL3VR/kZg2JvQjwON+X4CQk+/XM1L+wf7MQ9V+7svg== X-Received: by 2002:a5d:470b:: with SMTP id y11mr14114980wrq.16.1544547332559; Tue, 11 Dec 2018 08:55:32 -0800 (PST) Received: from mutt-hbsd ([216.218.222.14]) by smtp.gmail.com with ESMTPSA id n17sm659056wmc.5.2018.12.11.08.55.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 11 Dec 2018 08:55:31 -0800 (PST) Date: Tue, 11 Dec 2018 11:54:40 -0500 From: Shawn Webb To: Hubert Hauser Cc: freebsd-hackers@freebsd.org Subject: Re: Running Tor service in the jail environment Message-ID: <20181211165440.hscrml6jtvp72hhw@mutt-hbsd> References: <66526968-1446-c95e-629a-fb9e1b246111@mail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sks7bk5hbsz7jm5q" Content-Disposition: inline In-Reply-To: <66526968-1446-c95e-629a-fb9e1b246111@mail.com> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT FreeBSD 13.0-CURRENT HARDENEDBSD-13-CURRENT amd64 X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: D525F8059D X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=ilke02go; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip6:2a00:1450:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.97)[-0.974,0]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[mail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; IP_SCORE(-2.21)[ip: (-8.26), ipnet: 2a00:1450::/32(-1.45), asn: 15169(-1.27), country: US(-0.09)]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_XBL(3.00)[14.222.218.216.zen.spamhaus.org : 127.0.0.4]; R_DKIM_ALLOW(0.00)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[e.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Dec 2018 16:55:35 -0000 --sks7bk5hbsz7jm5q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 11, 2018 at 01:41:50AM +0000, Hubert Hauser wrote: > I want to torify my FreeBSD old machine purposed to mainly darknet > activities. >=20 > Should I worry about these errors during creating jail? >=20 > |Warning: Some services already seem to be listening on all IP, > (including 127.0.1.1) This may cause some confusion, here they are: root > ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root lpd > 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:* Warning: Some > services already seem to be listening on IP 192.168.1.105 This may cause > some confusion, here they are: root ntpd 58008 23 udp4 192.168.1.105:123 > *:* Warning: Some services already seem to be listening on all IP, > (including 192.168.1.105) This may cause some confusion, here they are: > root ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root > lpd 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:| >=20 > Should jail have access to loopback interface and public Ethernet > interface assuming that all traffic from this machine will be routed > through Tor? Is it necessary to set up a virtual network interface to > communicate between jails? I wouldn't use a jail for that. Take a look at this article I wrote about how to use Tor in the manner you're looking for: https://github.com/lattera/articles/blob/master/infosec/tor/2017-01-14_tori= fied_home/article.md Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --sks7bk5hbsz7jm5q Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlwP68sACgkQaoRlj1JF bu5w8Q/9GMkymyjypFrxtF8rMGdOOFWry8rHij8oR8s6tNRZ2Zs+C/f0CCBwylUl b9rinquRH38Vi8RlLZAEopp+nbsGM8Lpy/gg1Ho+IZFNoOKVkb7Yr0aSRyBivF9g oE81gd5Ec5H3CWKi78J6OX6wRhKOxY2K1ChG1miWamw9g+uBSQZR0vZ2nl2W8qws xYdaiYQZW7yWNVqvCPlHcHTWto0kaj8qsstgvb27SU2aKi/g1I15TcJyPYKXNWCh 3r4hJCP+MYTHHVn8tHdRqutCMGXeA55uDNb6MOmZFCpxGIsOPWSAL17ig8rqjFb7 iegJv7bDWUONcTl1y7cxQKOqej2etfXkQCRIl7wkF2avpIQOsBBgWcnhXUM1efNy qPcNftZWiyi6/7fSBsoPVrChdUfySg7FRVMlvb6dTzFqJl2xWU9E3/xrbO1wXI7x b45+gouueJFvCjSLyPMqVoR7sUMqTbu+KyTL1TDuoCz2it9/bNecx5LORsYtLE93 TZCKgcfaMEucdRonKDU9q9KT5YAzF0uqVwCdoHwUajNeYqFDELP7wkIrtDwGhG/h R9eA30nIVZk2OXjcH3PfOgGbXM9fPg/e7Rf/D6jtTQmZcyQxwLmfBWAMt3RadxhS XemTbxg3Q0q1kjokc/QeLC8xXvYV5kqL3oVgDqyNUJndZUq2Ez0= =gVwW -----END PGP SIGNATURE----- --sks7bk5hbsz7jm5q--