[nycbug-talk] pfsense and tor
fastgoldfish at gmail.com
Wed Jun 26 18:45:29 EDT 2013
George Rosamond <george <at> ceetonetechnology.com> writes:
> Brian Callahan:
> > On 6/10/2013 1:28 PM, Pete Wright wrote:
> >> has anyone had the chance to run tor on a pfsense system? i'm not
> >> seeing it in the pfsense packages directory located here:
> >> http://www.pfsense.com/packages/config/
> >> while i have spare bandwidth <at> home for tor, not sure my router has the
> >> horsepower. figured i'd test it out there first anyway then if that
> >> fails get tor up and running on another always-on appliance (like my
> >> mac-mini which drives my tv).
> >> -p
> > Can pfsense install vanilla FreeBSD packages? There should be a FreeBSD
> > package available. (or install from ports, though I realize that's
> > probably not what people want to do with their pfsense machines)
> It can be installed that way.
> But creating a pfSense Tor package has been on my list for a while now.
> They moved to PBIs from the old system, and haven't looked at it yet.
> So if >100,000 pfSense installs as of November 2011, and 1% go Tor, you
> have a huge impact on the Tor network. Just like some ppl use pfSense
> for a dhcpd appliance, the same could happen with Tor, I'd hope. And
> the Tor relays are a heavy Linux monoculture at this point, which would
> be nice to diversify.
> I will get to it... really.
> > The latest stable is 0.2.3.25 and the latest unstable is 0.2.4.12-alpha.
> > However, from experience running the OpenBSD tor relay, go for the
> > unstable. It's quite an improvement over the stable branch.
> There are also some sysctls to set that should be noted... we have a
> Tor-BSD list on our mailman if everyone doesnt know already...
> We run two non-exit relays in the cabinet: NYCBUG0 (fbsd) and NYCBUG1
> (obsd), the latter of which Brian is tweaking.
> PS Gee, I wonder why ppl would be discussing this... ;)
I found this discussion by searching for "pfsense tor". My goal is to make a
router firewall thing to torify all network traffic to the internet. The
purpose is to eliminate the need to configure proxies, and prevent
accidental data leaks outside Tor. Right now, there's nothing I know of that
quite does this. Whonix takes a different approach, and restricts usage to
one pre-configured "desktop" that connects only to the Whonix Tor gateway.
Despite the restriction on what software can be used, Whonix still has some
higher hardware requirements because it's all virtualized. Whonix only works
for one user!
I just installed Pfsense, and it's already working and doing whatever it is
that it normally does. Correct me if I'm wrong, but I think my goal is
waiting for Tor to become available in Pfsense, which is what you are
planning to do. I'm not sure exactly how this will all have to be configured
to work like I'm hoping, but as best I can tell, Pfsense can do it once Tor
is available (I assume some sort of table of where data should go). Also,
the possibility of having an easy-to-run Tor relay is compelling too.
The mention of PBI's is interesting, because I just installed PCBSD too, and
I think that's what PCBSD uses. There is already a PBI in PCBSD, but I'm not
sure if that's suitable for Pfsense or not. It works quite well, but it's
still limited without a way to forcibly torify everything, and block
anything that doesn't cooperate.
Can you give me an idea of when you might want to make it possible to add
Tor to Pfsense, and whether your plans might work out well for my own plans?
Do you know if it will be possible to force everything to go out on Tor, and
also if it will be possible to configure a relay in a straightforward,
non-expert, I-just-turned-it-on-and-it-worked sort of way?
More information about the talk