[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Question: Hidden Services, Virtual Machines, and iptables
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Question: Hidden Services, Virtual Machines, and iptables
- From: Ringo <2600denver@xxxxxxxxx>
- Date: Wed, 08 Jul 2009 01:38:52 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 08 Jul 2009 01:39:46 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=TWJ50N+txcZnxpO56pGmoIemQVU0aRiKpDVE8nkDmKM=; b=QaN1YS5Ub+NDzHEq0is1AMazITmWtCbML8qLLFT/HnZlXfW6Y24EfOu0WcG7KtZExg 1Cor0JE/xKUpX2V8eJeN+V+supwUca0zdqbGRE3vL6jsNm2tHvVm5qLaUSSLR9HtqBKr T+mWuXEhyq3Xd7xz7/vo0y8rf14PobanTnTDM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=MNaT0ypo8h7/MjrTou0xU7ueMov/fLPpTqTMmt6iqIDV3clAqgvOQZr3h1trtaQdCc Uy7ohsomwfP4NNGcSiEif+qsjZg92PnCoAgrzg3I8v3Sl+UAVLlyioKpJJiZx3KzpYtK i7AHP8SK0sQF+9zGFUghof0eYC89KEQezda/4=
- In-reply-to: <4ef5fec60907072203u711d48e8hb9f79e3a54b0a701@xxxxxxxxxxxxxx>
- References: <4A53F223.8050304@xxxxxxxxx> <4ef5fec60907072203u711d48e8hb9f79e3a54b0a701@xxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.21 (X11/20090318)
That's a good solution, but it sounds like it would take lots of
memory/cpu, especially if you're running both of these VMs from an
encrypted partition. If a serious exploit was found in Tor (or
implemented in Tor), it would still be able to break out of the main VM,
but at least it still wouldn't have a real IP address.
I still feel like there's got to be a simpler way to do this.
Ringo
coderman wrote:
> On Tue, Jul 7, 2009 at 6:10 PM, Ringo<2600denver@xxxxxxxxx> wrote:
>> ...
>> One could.. run Tor inside the vm and have that torrc contain the
>> instructions for the hidden service. The problem then, is that the vm
>> has to access the web. ...
>>
>> Of course, one could always run a hidden service on the host machine and
>> then redirect all traffic to the vm, but the pitfalls in this are
>> obvious....
>> Does anybody have any solutions to this dilemma or thoughts on ways to
>> restructure the model so this isn't a problem?
>
> in such a configuration i prefer to use two virtual machines.
>
> one vm has host-only networking to serve hidden service content.
>
> second vm hosts Tor router with hidden service pointed at vm host.
>
> host uses iptables redirect and/or tcp proxy to connect hidden service
> connections from Tor VM to hidden service VM port at host-only
> endpoint.
>
> (there are variations on this theme...)
>
> best regards,
>