Re: [tor-talk] Tor and TBB Issues Needing Good Advice

[Andreas Krey <a.krey@xxxxxx>]

On Sun, 21 Jan 2018 09:13:29 +0000, Wanderingnet wrote:
> So far I have been unable to gain a working torrc and iptables setup for either tor, or, particularly, Tor Browser Bundle.

TBB works right out of the box. Dear casual reader, please don't be alarmed by this post.

> And believe me, I've read, searched and tried - alot. Funnily, many of the security advantages of using Tor are defeated by the need for heavy research

You fail to indicate what research is needed, and for that matter why.

...
> For examples, TBB does not run as a service as tor does,

Well yes, that is the point. TBB is something a user starts.

How do you want to run a browser in a service (and for that matter,
what even is a 'service' under unix)?

...
> 1. A clear explanation of how Linux solicits and maintains network connections, particularly with regard to public wifi negotiation.

How is that specific to tor?

> 3. A clear explanation of all required allowances in iptables, of Tor, including by port if possible, and including of addresses like those for LAN et al. NAT table routing has proven particularly challenging.

Wat? The only thing tor connects to are either some guards, or some
bridges, and at least for the former there is no way to predict what IP
addresses or ports they have.

The question is what you want to achieve with iptable rules regarding
tor. tor does only do outbound connections, and those are to unpredicable
addr/ports, and the question is what you want iptables to prevent. If you
have a good tor there is nothing to protect against, and if you somehow
got a subverted tor, it will not be as stupid as to use separate outbound
TCP connections for phoning home, but instead do that through tor.

So basically, while you could go on and download the consensus to find
out what addresses tor should be able to connect to, you can just as well
trust it do to exactly that.

> 4. A method for running TBB with custom torrc, observing the failure of default port specification (which is part of port securing in custom hashed passwords, etc.)

What do you mean with 'failure of default port specification'?

> 6. A walkthrough for advanced isolation methods like dedicated user accounts, which have so far proven impossible to run with TBB from a separate account,

Huh? Create separate account, run tbb there via 'ssh -X account .../tor-browser-me/Browser/start-tor-browser'?

> and network namespaces, which appear to be a potentially powerful isolation solution but which I have not seen adapted to this purpose yet, despite being considerably lighter than complete OS virtualisation/containers.

https://hub.docker.com/r/hkjn/tor-browser/

https://blog.jessfraz.com/post/running-a-tor-relay-with-docker/

...
> Any helpful advice would be appreciated.

It would also help to state in more detail what you want to achieve,
and what you want to guard against.

- Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk