[nycbug-talk] pfsense and tor

Fri Jun 28 00:05:56 EDT 2013

fastgoldfish at gmail.com:
> I found this, which looks to be straightforward:
> 
> http://doc.pfsense.org/index.php/Developing_Packages
> 
> I don't understand all that's going on with that. Does anyone know if
> there's a  "hello world" package to play with? I couldn't find one.
> 

'hello world' for pfSense packages??   woah.

More inline below.

> On Wed, Jun 26, 2013 at 7:09 PM, fastgoldfish at gmail.com
> <fastgoldfish at gmail.com> wrote:
>> I sent a message to adrelanos, the person developing the Whonix
>> system, to make him aware of this discussion. I think pfSense may have
>> the potential to provide a much more powerful and flexible replacement
>> for the Whonix Gateway. pfSense could be used to serve needs that the
>> Whonix Gateway currently is not designed for, but pfSense can still
>> serve the very narrow set of use cases that the Whonix system is
>> currently the best tool for.

I don't know a lot about Whonix, but I do know a bit about other similar
projects, and most have stopped moving forward in any real way.

pfSense has huge advantages as a platform over these other systems:

1.  it has a significant install base that they don't

2.  pfsense didn't try to be all things to all people when it launched,
but it has scaled to do more in time, as appropriate, with a solid
framework.

>>
>> Beyond that, pfSense can do things that we haven't even thought of
>> yet. one thing I've discussed with adrelanos is a Tor-friendly ISP
>> that could provide a Tor gateway that will forcibly torify all
>> communications. Some other very important use cases are:
>>
>> * Making it easy for someone to conceal the location of a Tor hidden
>> service, even if it gets rooted (which Whonix theoretically could do).
>>
>> * Making it easy for someone to run a Tor relay or bridge.
>>
>> And more!
>>
>> On Wed, Jun 26, 2013 at 3:57 PM, Brian Callahan <bcallah at devio.us> wrote:
>>> On 06/26/13 15:45, badon wrote:
>>>>
>>>> The mention of PBI's is interesting, because I just installed PCBSD too,
>>>> and I think that's what PCBSD uses.
>>>
>>>
>>> Makes sense, as both are based off FreeBSD ;-) The PBI is a PCBSD invention,
>>> but afaik the framework (though not necessarily the individual PBI packages)
>>> will work on any FreeBSD-based system, including vanilla FreeBSD.
>>>
>>>
>>>> There is already a PBI in PCBSD, but I'm not sure if that's suitable for
>>>> Pfsense or not.
>>>
>>>
>>> I would say "probably not" to this. But the mechanism for generating a
>>> suitable PBI for pfsense should be similar if not identical to PCBSD (if you
>>> know how to do that).
>>>
>>> Otherwise - consider this a bump to George for making a pfsense Tor PBI :)

So, yeah, this has been on my list for a while, and I know there's
interest in it.

I will be looking at it more seriously in the next week or so.  In the
meantime, try going to the pfsense shell and typing "pkg_add -r tor" or
tor-devel.  I think devel is fine.

I'll need to go back to the xml configs and start reworking.

Despite the long torrc file, there's only really a handful of config
options necessary, so a basic operational config isn't that hard.

Adding hidden services, etc., might be later goals, but to me the goal
should be a simple bridge or relay that any user could just setup in a
few minutes.

The number you can toss around is this:  if there were 100,000 known
pfSense installs in November 2011, 2% of them running a bridge or relay
would have an enormous impact on the Tor network, which only has about
3700 public relays at the moment, plus somewhere under 2000 known bridges.

Another important impact is on the current Linux monoculture.  The vast
majority of Tor nodes are Linux by a long shot.  Bumping up the FreeBSD
numbers, at least, would breakup that issue to an extent.

g