[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] EFF Tor Challenge

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] EFF Tor Challenge
From: CACook@xxxxxxxxxxxxxxx
Date: Thu, 2 Jun 2011 16:02:19 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 02 Jun 2011 19:02:37 -0400
In-reply-to: <447633.22877.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <447633.22877.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.13.5 (Linux/2.6.38; KDE/4.4.5; x86_64; ; )

On Thursday 2 June, 2011 14:50:44 Martin Fick wrote:
> --- On Thu, 6/2/11, CACook@xxxxxxxxxxxxxxx <CACook@xxxxxxxxxxxxxxx> wrote:
> 
> > For those interested, so far my best idea is running the
> > daemon in a VirtualBox VM running SELinux as guest, and
> > bridged to the outside.  This should substantially
> > solve most problems except membership in the local
> > LAN.  
> 
> I don't think that this would make for a best practice,
> I think that a linux lxc should be encouraged instead,
> it is way more efficient.

I looked at containers in depth.  They are simply not secure.

On Thursday 2 June, 2011 14:50:44 Martin Fick wrote:
> As fir isolation, I think that a best practice 
> should use iptable rules.  But if you want to 
> go the cheap hardware route, buy a $5/15 nic 
> and add it to your box and plug that nic into 
> your modem's DMZ port, most of them have one.

Goes without saying (although I should have said it), iptables for sure, blocking everything in and out except what is absolutely needed.  I use a fine firewall called Shorewall, developed a couple blocks away from me actually.

Most ppl have consumer-grade routers;  no DMZ port.  Wish there was...
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] EFF Tor Challenge
  - From: Martin Fick

References:
- Re: [tor-talk] EFF Tor Challenge
  - From: Martin Fick

Prev by Author: Re: [tor-talk] EFF Tor Challenge
Next by Author: Re: [tor-talk] layer 2 separation: relay in a Host-only network (was: EFF Tor Challenge)
Previous by thread: Re: [tor-talk] EFF Tor Challenge
Next by thread: Re: [tor-talk] EFF Tor Challenge
Index(es):
- Author
- Thread