[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Jailed/sandboxed/chrooted applications
On Fri, Jan 02, 2009 at 01:04:38PM -0500, Adlesshaven wrote:
> Fabian Keil wrote:
> > Adlesshaven <adlesshaven@xxxxxxxxxxxxxx> wrote:
> >
> >
> >> Does anyone here jail, sandbox or chroot the applications they use with Tor?
> >>
> >
> > I'm running Tor and Privoxy in FreeBSD jails,
> > Xorg applications (which probably pose a bigger thread)
> > are running on the host system, though.
> >
> >
> >> I have been trying to adapt the Wiki's transparent proxy recommendations
> >> to a FreeBSD jail for the last couple weeks with no luck.
> >>
> >
> > I wrote about trans-proxy-tor running in a FreeBSD jail at:
> > http://www.fabiankeil.de/blog-surrogat/2006/06/15/jail-experimente-mit-ezjail.html
> >
> > The text is in German but the only thing that really matters is
> > the /etc/devfs.rules example to make /dev/pf visible in the jail.
> >
> > Nowadays I use Tor's TransPort option instead of trans-proxy-tor,
> > but the configuration is pretty much the same.
> >
> > Fabian
> >
> Interesting. You used pretty much the reverse of what I was doing.
> My process is something like:
>
> Set up a jail with sshd
> Install xauth, firefox, thunderbird, etc. in the jail
> Set up ssh outside the jail to be able to connect to the jail
> and have X connections forwarded
> Set up PF to forward all connections to Tor's TransPort,
> which is on the host system
> Use ssh to start a program, eg firefox, and it appears
> on the host system's desktop
>
> What I am having trouble with is step 4. It *looks* like PF
> is working fine, but Tor doesn't see the traffic to the TransPort.
> I think I have just been designing the firewall rules stupidly.
> The Tor Wiki gives a different scenario so it isn't too helpful.
please see:
http://archives.seul.org/or/talk/Oct-2007/msg00028.html
handling a similar approach.
With FBSD Tor needs rw on /dev/pf for this to work,
apart from all necessary settings in pf.conf.
(As you do rdr maybe an anchor in the appropriate positions
would be good, if it works without, even better)
Regards
Hans