[nycbug-talk] pfsense and tor

[fastgoldfish at gmail.com]

It looks like the 8.1 version of FREEBSD packages contains an outdated
version of Tor, so I just change my setenv to this to get the
maintained 8.3 packages:

setenv PACKAGESITE
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/

I installed Tor from that, and nothing bad happened.

On Tue, Jul 2, 2013 at 11:42 PM, fastgoldfish at gmail.com
<fastgoldfish at gmail.com> wrote:
> There is a bug in pfSense. I haven't figured out how to report it yet,
> but here's the one-liner command I used to fix it:
>
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> Then you can run pkg_add normally, like this:
>
> pkg_add -r tor
>
> or even better:
>
> pkg_add -v -r tor
>
> The problem was that there are no packages for FreeBSD 8.1 in the
> usual location where we would expect to find them, and where pfSense
> looks and fails to retrieve the Tor package. You can see for yourself
> that there's nothing for 8.1:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
>
> I did some looking around, and I found 8.1's packages here;
>
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> So, to make pkg_add look there instead, I just did this (which I
> mentioned at the beginning of this post):
>
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> I'm surprised such a fundamental problem hasn't been noticed before.
> Maybe it has been noticed before, but there's no way to report the
> bug, and so nobody bothered to fix it. That meant that only the
> experienced users would be able to solve the problems themselves, and
> newcomers like me would have to debug it and come up with a solution
> from scratch. Voila! :)
>
> On Thu, Jun 27, 2013 at 10:13 PM, fastgoldfish at gmail.com
> <fastgoldfish at gmail.com> wrote:
>> Enter an option: 8
>>
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(1): pkg_add -r tor
>> Error: Unable to get
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz:
>> File unavailable (e.g., file not found, no access)
>> pkg_add: unable to fetch
>> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz'
>> by URL
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(2): pkg_add -r tor-devel
>> Error: Unable to get
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz:
>> File unavailable (e.g., file not found, no access)
>> pkg_add: unable to fetch
>> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz'
>> by URL
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(3):
>>
>> Darn, I was hoping that would work.
>>
>> Whonix is quite a bit different from the other similar efforts.
>> adrelanos seems to have found the magic balance between keeping it
>> simple, and making it eminently effective. He has delivered a finished
>> product that actually works, and works very well. It is able to
>> survive a root-job without losing anonymity, in some circumstances. I
>> have watched many other ideas come and go, and none of them reached
>> level of usability and common-sense simplicity that Whonix has. I
>> think that might be merely because it is an idea whose time has come.
>>
>> adrelanos is investigating the possibility of building his next
>> version of the Whonix Gateway on pfSense. I'm not sure whether he'll
>> do that or not, but I think I've gotten his attention focused on
>> pfSense based on just a few of its many advantages that I'm aware of.
>> One thing that has kept Whonix on Debian is its wide usage. From the
>> point of view of adrelanos, he thinks that gives Debian more "peer
>> review" for bugs and other flaws.
>>
>> Based on what I've learned about pfSense in this discussion, I think
>> pfSense is probably better even in the popularity contest comparison
>> because it's simpler and more specialized. That makes it an
>> apples-to-oranges comparison with a general purpose system (Debian),
>> and a refined network-specialist system (pfSense). pfSense is destined
>> to come out on top in that kind of a comparison.
>>
>> And, like you said, the 100'000+ pfSense installs makes it much more
>> likely that Tor will be used on a significant fraction of them.
>>
>> As best I can tell, it looks to me that pfSense can be used to force
>> Tor as the only way in or out of a network by setting up a static
>> route. The LAN interface is routed to Tor, and Tor is routed to the
>> WAN interface. That's essentially what the Whonix Gateway does, after
>> stripping out all of the superfluous unnecessary stuff from Debian, if
>> I understand it correctly.
>>
>> For that use case, it would be nice to have a checkbox for "Isolate
>> LAN on Tor" which sets up the routing, perhaps with a brief guided
>> configuration step. From there, an entire network of machines and all
>> of their applications, can be forcibly Torified such that none of the
>> machines and applications on the LAN are aware of the public IP of the
>> WAN, and so they cannot leak it, even if they get rooted. Then, users
>> can happily use Flash, JavaScript, and all the other things they want,
>> with the benefits of Tor that suit their use cases. There are several
>> very different use cases that need to be spelled out so people
>> understand what they're getting and what they're not getting.
>>
>> Finally, there's the very important ability to set up dedicated
>> bridges, relays, and exits in a straightforward way, such that anyone
>> running pfSense is ready to go. That will be very exciting, especially
>> because it opens up the possibility of ISP's contributing to the Tor
>> infrastructure, and maybe also offering their clients access to the
>> Tor network with little or no configuration on the client's part. The
>> clients would still need a solid understanding of what Tor can and
>> can't do for them, but once educated, they'll be able to benefit from
>> the advantages Tor can give them, while avoiding the pitfalls in
>> realms where Tor is unsuited.
>>
>>
>>
>> On Thu, Jun 27, 2013 at 9:05 PM, George Rosamond
>> <george at ceetonetechnology.com> wrote:
>>> fastgoldfish at gmail.com:
>>>> I found this, which looks to be straightforward:
>>>>
>>>> http://doc.pfsense.org/index.php/Developing_Packages
>>>>
>>>> I don't understand all that's going on with that. Does anyone know if
>>>> there's a  "hello world" package to play with? I couldn't find one.
>>>>
>>>
>>> 'hello world' for pfSense packages??   woah.
>>>
>>> More inline below.
>>>
>>>> On Wed, Jun 26, 2013 at 7:09 PM, fastgoldfish at gmail.com
>>>> <fastgoldfish at gmail.com> wrote:
>>>>> I sent a message to adrelanos, the person developing the Whonix
>>>>> system, to make him aware of this discussion. I think pfSense may have
>>>>> the potential to provide a much more powerful and flexible replacement
>>>>> for the Whonix Gateway. pfSense could be used to serve needs that the
>>>>> Whonix Gateway currently is not designed for, but pfSense can still
>>>>> serve the very narrow set of use cases that the Whonix system is
>>>>> currently the best tool for.
>>>
>>> I don't know a lot about Whonix, but I do know a bit about other similar
>>> projects, and most have stopped moving forward in any real way.
>>>
>>> pfSense has huge advantages as a platform over these other systems:
>>>
>>> 1.  it has a significant install base that they don't
>>>
>>> 2.  pfsense didn't try to be all things to all people when it launched,
>>> but it has scaled to do more in time, as appropriate, with a solid
>>> framework.
>>>
>>>>>
>>>>> Beyond that, pfSense can do things that we haven't even thought of
>>>>> yet. one thing I've discussed with adrelanos is a Tor-friendly ISP
>>>>> that could provide a Tor gateway that will forcibly torify all
>>>>> communications. Some other very important use cases are:
>>>>>
>>>>> * Making it easy for someone to conceal the location of a Tor hidden
>>>>> service, even if it gets rooted (which Whonix theoretically could do).
>>>>>
>>>>> * Making it easy for someone to run a Tor relay or bridge.
>>>>>
>>>>> And more!
>>>>>
>>>>> On Wed, Jun 26, 2013 at 3:57 PM, Brian Callahan <bcallah at devio.us> wrote:
>>>>>> On 06/26/13 15:45, badon wrote:
>>>>>>>
>>>>>>> The mention of PBI's is interesting, because I just installed PCBSD too,
>>>>>>> and I think that's what PCBSD uses.
>>>>>>
>>>>>>
>>>>>> Makes sense, as both are based off FreeBSD ;-) The PBI is a PCBSD invention,
>>>>>> but afaik the framework (though not necessarily the individual PBI packages)
>>>>>> will work on any FreeBSD-based system, including vanilla FreeBSD.
>>>>>>
>>>>>>
>>>>>>> There is already a PBI in PCBSD, but I'm not sure if that's suitable for
>>>>>>> Pfsense or not.
>>>>>>
>>>>>>
>>>>>> I would say "probably not" to this. But the mechanism for generating a
>>>>>> suitable PBI for pfsense should be similar if not identical to PCBSD (if you
>>>>>> know how to do that).
>>>>>>
>>>>>> Otherwise - consider this a bump to George for making a pfsense Tor PBI :)
>>>
>>> So, yeah, this has been on my list for a while, and I know there's
>>> interest in it.
>>>
>>> I will be looking at it more seriously in the next week or so.  In the
>>> meantime, try going to the pfsense shell and typing "pkg_add -r tor" or
>>> tor-devel.  I think devel is fine.
>>>
>>> I'll need to go back to the xml configs and start reworking.
>>>
>>> Despite the long torrc file, there's only really a handful of config
>>> options necessary, so a basic operational config isn't that hard.
>>>
>>> Adding hidden services, etc., might be later goals, but to me the goal
>>> should be a simple bridge or relay that any user could just setup in a
>>> few minutes.
>>>
>>> The number you can toss around is this:  if there were 100,000 known
>>> pfSense installs in November 2011, 2% of them running a bridge or relay
>>> would have an enormous impact on the Tor network, which only has about
>>> 3700 public relays at the moment, plus somewhere under 2000 known bridges.
>>>
>>> Another important impact is on the current Linux monoculture.  The vast
>>> majority of Tor nodes are Linux by a long shot.  Bumping up the FreeBSD
>>> numbers, at least, would breakup that issue to an extent.
>>>
>>> g
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at lists.nycbug.org
>>> http://lists.nycbug.org/mailman/listinfo/talk