Running Tor service in the jail environment

M

Mr_Dragon

I want to torify my FreeBSD old machine purposed to mainly darknet activities.

Should I worry about these errors during creating jail?
Code: 
Warning: Some services already seem to be listening on all IP, (including 127.0.1.1)
  This may cause some confusion, here they are:
root     ntpd       58008 20 udp6   *:123                 *:*
root     ntpd       58008 21 udp4   *:123                 *:*
root     lpd        48726 6  tcp6   *:515                 *:*
root     lpd        48726 7  tcp4   *:515                 *:*
Warning: Some services already seem to be listening on IP 192.168.1.105
  This may cause some confusion, here they are:
root     ntpd       58008 23 udp4   192.168.1.105:123     *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.105)
  This may cause some confusion, here they are:
root     ntpd       58008 20 udp6   *:123                 *:*
root     ntpd       58008 21 udp4   *:123                 *:*
root     lpd        48726 6  tcp6   *:515                 *:*
root     lpd        48726 7  tcp4   *:515                 *:

Should jail have access to loopback interface and public Ethernet interface assuming that all traffic from this machine will be routed through Tor? Is it necessary to set up a virtual network interface to communicate between jails?
 
Some services, including ntpd(8), monitor network configuration changes and dynamically bind to all (existing and new) addresses and unbind from addresses gone. Other services bind to 0.0.0.0, or any address. Obviously this will cause problems if you try to run more than one such service -- on the host, and in jails -- in the same time. Their bindings will clash. You don't have to worry, as long as you know what you're doing.

If you need to run more than one such service you'll have to modify its configuration, so it is bound to (listens to) on a specific address only: host node's address, or jail's address.

But I don't know how tor service works, specifically how its traffic routing works.
 
Running a tor service in a jail is probably not a good idea because a jail has very limited access to the network stack of the host. It cannot change the routing table for example and if I recall correctly the same applies to virtual network devices (which cannot be created by the jail itself).

Such network routing services are best used on the host.
 
Tor is a proxy, it doesn't do any traditional TCP/IP routing. Which also means you can't use it to "hide" arbitrary TCP or UDP connections (you have to proxy your services through the Tor proxy).

Would it work in a jail? Probably. It's not going to be any different from running Squid in a jail for example.
 
Bobi B. said:
Some services, including ntpd(8), monitor network configuration changes and dynamically bind to all (existing and new) addresses and unbind from addresses gone. Other services bind to 0.0.0.0, or any address. Obviously this will cause problems if you try to run more than one such service -- on the host, and in jails -- in the same time. Their bindings will clash. You don't have to worry, as long as you know what you're doing.
Click to expand...

How do I prevent ntpd or lpd services running in the jails? How do I create subnet purposed to handle traffic inside the jails?

ShelLuser said:
Running a tor service in a jail is probably not a good idea because a jail has very limited access to the network stack of the host. It cannot change the routing table for example and if I recall correctly the same applies to virtual network devices (which cannot be created by the jail itself).
Click to expand...
I consider run Tor in the jail environment because I want to ensure system won't be compromised in case compromising Tor service.
 
Mr_Dragon said:
How do I prevent ntpd or lpd services running in the jails?
Click to expand...
Neither are started by default. So don't enable them. But besides that, most network daemons can be configured to listen on 1 or more specific IP addresses, tie that daemon to its specific jail IP address(es). You can usually find how to do that in the man pages. Sometimes you have to edit a configuration file, sometimes an additional flag in rc.conf is needed.

How do I create subnet purposed to handle traffic inside the jails?
Click to expand...
In exactly the same way as you would a create subnet on a "real" network. You pick a network range with an appropriate subnet mask and make sure it's unique within your network. Routing does the rest.
 
Running tor clients and relays in jails is easy to maintain and safe in function. FreeBSD offers an excellent environment with jails.

Mr_Dragon said:
Should jail have access to loopback interface and public Ethernet interface
Click to expand...
Code: 
# nano /etc/rc.conf # on host
cloned_interfaces="${cloned_interfaces} lo1"
ifconfig_lo1="inet  10.10.10.1/32"
jail_enable="YES"
jail_list="jailfoo"

assuming that all traffic from this machine will be routed through Tor?
Click to expand...
What do want to reach? Check your motivation. 'All' traffic including host ntp, freebsd-update etc is may-be not the best idea.
You read about tor people recommendations?

Is it necessary to set up a virtual network interface to communicate between jails?
Click to expand...
See above.


ShelLuser said:
Such network routing services are best used on the host.
Click to expand...
You can run lots of tor clients or relays each in its own jail.


Remington said:
You should use Vimage or Bhyve if you don't want Tor on the host.
Click to expand...
No need. Just bare jails are fine.
Code: 
# nano /etc/jail.conf # host
jailfoo {
        host.hostname = "hostfoo";
        interface = lo1;
        ip4.addr = 10.10.10.1;
        path ="/usr/jail/jailfoo";
        mount.devfs;
        devfs_ruleset = "3";
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
}

SirDice said:
Would it work in a jail? Probably.
Click to expand...
Works like a charme. pf rdr for relays. pf nat for relays and clients.


Mr_Dragon said:
How do I prevent ntpd or lpd services running in the jails? How do I create subnet purposed to handle traffic inside the jails?
Click to expand...
A jail is a subsystem in your case for the tor daemon. No need to run other daemons there.
Code: 
# jexec jailfoo cat /etc/rc.conf # in jail
network_interfaces=""
rpcbind_enable="NO"
cron_flags="$cron_flags -J 15"
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="NO"
ntpd_enable="NO"
tor_enable="YES"

I consider run Tor in the jail environment because I want to ensure system won't be compromised in case compromising Tor service.
Click to expand...
+1

I hope that helps. And please think twice before feeling safe in what can be reached in the proxy world. Have fun :)

PS: Forgive me, quotes are not my strength.
 
jbo said:
Would you mind sharing a corresponding pf configuration snipped as a starting point for people coming along this in the future?
Click to expand...
I really wish that freezebee had responded that.

If OP let me, I want to steal this thread to question about tor-browser inside a jail? it is possible?
 
You must log in or register to reply here.
Back
Top