CJ: > On 07/25/2014 09:24 AM, isis wrote: > > CJ transcribed 2.5K bytes: > >> > >> On 07/24/2014 03:54 PM, u wrote: > >>> CJ: > >>>> On 07/24/2014 01:23 PM, u wrote: > >>>>> Lunar: > >>>>>> CJ: > >>>>>>> Just a small announce (not sure if this is the right ML, sorry). > >>>>>>> I'm developing an Android app allowing to block all IP traffic, and > >>>>>>> force only selected app through Orbot. > >>>>>>> This is done because neither Orbot nor AFWall (or other free, opensource > >>>>>>> Android iptables managment interface) seem to be able to do thatâ > >>>>>> Orbot is free software. Isn't there a way to add the needed features > >>>>>> directly to it? > >>>>>> > >>>>>> Sorry if it's a naive question, I'm not very knowledgable regarding > >>>>>> Android. But I know that asking our users to install 3 different apps or > >>>>>> even more is not friendly. > >>>>> AFAIK this works in Orbot if you have a rooted Android device. > >>>> Not the "block all other output" part in fact :) > >>> That said, I am also interested in your answer to Lunar's question :) > >>> Why not contribute to Orbot instead? > >>> > >>> Cheers! > >> It's possible I push some pull-request later, yes. > >> But, as said in some previous email, I'm not really sure it's Orbot job > >> to set up firewallâ I rather prefer dedicated app for dedicated task â > >> Orbot main task is, for me, connecting to Tor networkâ Basically, this > >> just doesn't involve the firewall at all. > >> > >> But yeah, I know, users like "all-in-one apps" â who knows, once > >> torrific is ready (i.e. no more broken rules, no more bugs like "craps, > >> network's broken")â the devs may get some PR ;). > >> Torrific is also, for me, a way to play with android without annoying > >> other applications. > >> > >> To be honest, I'd rather contribute this function in AFWall than Orbot, > >> as it already is a firewall manager (and not a bad one). > >> > >> Cheers, > >> > >> C. > > > > I agree that this should be done outside Orbot, for several reasons that I'm > > not going to get dragged into again. And FWIW, Mike's blog post on Android > > security specifically recommends setting up DroidWall (a similar AOS > > iptables-based firewall app) with some bash scripts to log and deny all leaky > > traffic from Orbot. > > > > My primary concern would be regarding whether Torrific's iptables rules are > > applied ASAP after Orbot starts Tor, and I actually can't recommend anything > > there (short of building a new initramfs which enforces starting the firewall > > from there, early during the boot process). > > torrific works with an init-script blocking all the traffic â same way > droidwall or afwall are working, same problem with older android versions. > torrific starts on boot, maybe earlier than orbot, which is a good > thing. it also uses orbot uid (as well as app uid) in order to set the > redirects and allow orbot to go out. > > > > > DroidWall already has a mechanism for running user-specified scripts at > > startup... Perhaps the most portable way to do what you're trying to do would > > be to add a similar script-sourcing mechanism to AFWall? Then you could simply > > maintain a repo of startup scripts which (hopefully) work for any Android > > firewall app which supports this mechanism. > > problems with handmade scripts: how to catch app uid automatically? > that's not userfriendly. Not at allâ > That was the first version of this app: an init-script, a "lib" written > in shell, and a script applying the rules, using a shell array as source > for application information. FWIW, in the shell scripts in my howto[1], I do this UID detection in shell with dumpsys. Here's an example script: https://people.torproject.org/~mikeperry/android-hardening/android-firewall/firewall-allow-linphone-udp.sh The userinit problem I solved in a Cyanogenmod-specific way (I think). Cyanogenmod has a special init script location in /data/local/userinit.sh. For extra fun, I think it supports that instead of more standard Android init-scripts, because the AFWall+ startup script hack does not work on my devices. That's the main reason I created this userinit hack: https://people.torproject.org/~mikeperry/android-hardening/android-firewall/userinit.sh > the app I've done lists the installed application requesting network > access, you just have to check those you're wanting to allow network > access and they are forced through orbot :). That LinPhone example script above also has another neat feature that I wish were available by default in a firewall app such as this. It allows only the UDP activity of LinPhone to bypass the Tor proxy. This means I can make TLS+SIP+ZRTP calls where the call setup and signaling goes over Tor, but encrypted voice and video data goes directly peer-to-peer over UDP. I recognize the UI for supporting this in the general case is a bit tricky to create without a lot of clutter, and it's questionable if you want to expose this ability for all apps (because for non peer-to-peer apps it can mean deanonymization to a central server). However, for this specific case it is very handy, at least until Tor is performant enough to support live, unbuffered voice+video data. 1. https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk