[nycbug-talk] pfsense and tor

fastgoldfish at gmail.com fastgoldfish at gmail.com
Wed Jul 3 02:42:24 EDT 2013


There is a bug in pfSense. I haven't figured out how to report it yet,
but here's the one-liner command I used to fix it:

setenv PACKAGESITE
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

Then you can run pkg_add normally, like this:

pkg_add -r tor

or even better:

pkg_add -v -r tor

The problem was that there are no packages for FreeBSD 8.1 in the
usual location where we would expect to find them, and where pfSense
looks and fails to retrieve the Tor package. You can see for yourself
that there's nothing for 8.1:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/

I did some looking around, and I found 8.1's packages here;

ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

So, to make pkg_add look there instead, I just did this (which I
mentioned at the beginning of this post):

setenv PACKAGESITE
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

I'm surprised such a fundamental problem hasn't been noticed before.
Maybe it has been noticed before, but there's no way to report the
bug, and so nobody bothered to fix it. That meant that only the
experienced users would be able to solve the problems themselves, and
newcomers like me would have to debug it and come up with a solution
from scratch. Voila! :)

On Thu, Jun 27, 2013 at 10:13 PM, fastgoldfish at gmail.com
<fastgoldfish at gmail.com> wrote:
> Enter an option: 8
>
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(1): pkg_add -r tor
> Error: Unable to get
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz:
> File unavailable (e.g., file not found, no access)
> pkg_add: unable to fetch
> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz'
> by URL
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(2): pkg_add -r tor-devel
> Error: Unable to get
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz:
> File unavailable (e.g., file not found, no access)
> pkg_add: unable to fetch
> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz'
> by URL
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(3):
>
> Darn, I was hoping that would work.
>
> Whonix is quite a bit different from the other similar efforts.
> adrelanos seems to have found the magic balance between keeping it
> simple, and making it eminently effective. He has delivered a finished
> product that actually works, and works very well. It is able to
> survive a root-job without losing anonymity, in some circumstances. I
> have watched many other ideas come and go, and none of them reached
> level of usability and common-sense simplicity that Whonix has. I
> think that might be merely because it is an idea whose time has come.
>
> adrelanos is investigating the possibility of building his next
> version of the Whonix Gateway on pfSense. I'm not sure whether he'll
> do that or not, but I think I've gotten his attention focused on
> pfSense based on just a few of its many advantages that I'm aware of.
> One thing that has kept Whonix on Debian is its wide usage. From the
> point of view of adrelanos, he thinks that gives Debian more "peer
> review" for bugs and other flaws.
>
> Based on what I've learned about pfSense in this discussion, I think
> pfSense is probably better even in the popularity contest comparison
> because it's simpler and more specialized. That makes it an
> apples-to-oranges comparison with a general purpose system (Debian),
> and a refined network-specialist system (pfSense). pfSense is destined
> to come out on top in that kind of a comparison.
>
> And, like you said, the 100'000+ pfSense installs makes it much more
> likely that Tor will be used on a significant fraction of them.
>
> As best I can tell, it looks to me that pfSense can be used to force
> Tor as the only way in or out of a network by setting up a static
> route. The LAN interface is routed to Tor, and Tor is routed to the
> WAN interface. That's essentially what the Whonix Gateway does, after
> stripping out all of the superfluous unnecessary stuff from Debian, if
> I understand it correctly.
>
> For that use case, it would be nice to have a checkbox for "Isolate
> LAN on Tor" which sets up the routing, perhaps with a brief guided
> configuration step. From there, an entire network of machines and all
> of their applications, can be forcibly Torified such that none of the
> machines and applications on the LAN are aware of the public IP of the
> WAN, and so they cannot leak it, even if they get rooted. Then, users
> can happily use Flash, JavaScript, and all the other things they want,
> with the benefits of Tor that suit their use cases. There are several
> very different use cases that need to be spelled out so people
> understand what they're getting and what they're not getting.
>
> Finally, there's the very important ability to set up dedicated
> bridges, relays, and exits in a straightforward way, such that anyone
> running pfSense is ready to go. That will be very exciting, especially
> because it opens up the possibility of ISP's contributing to the Tor
> infrastructure, and maybe also offering their clients access to the
> Tor network with little or no configuration on the client's part. The
> clients would still need a solid understanding of what Tor can and
> can't do for them, but once educated, they'll be able to benefit from
> the advantages Tor can give them, while avoiding the pitfalls in
> realms where Tor is unsuited.
>
>
>
> On Thu, Jun 27, 2013 at 9:05 PM, George Rosamond
> <george at ceetonetechnology.com> wrote:
>> fastgoldfish at gmail.com:
>>> I found this, which looks to be straightforward:
>>>
>>> http://doc.pfsense.org/index.php/Developing_Packages
>>>
>>> I don't understand all that's going on with that. Does anyone know if
>>> there's a  "hello world" package to play with? I couldn't find one.
>>>
>>
>> 'hello world' for pfSense packages??   woah.
>>
>> More inline below.
>>
>>> On Wed, Jun 26, 2013 at 7:09 PM, fastgoldfish at gmail.com
>>> <fastgoldfish at gmail.com> wrote:
>>>> I sent a message to adrelanos, the person developing the Whonix
>>>> system, to make him aware of this discussion. I think pfSense may have
>>>> the potential to provide a much more powerful and flexible replacement
>>>> for the Whonix Gateway. pfSense could be used to serve needs that the
>>>> Whonix Gateway currently is not designed for, but pfSense can still
>>>> serve the very narrow set of use cases that the Whonix system is
>>>> currently the best tool for.
>>
>> I don't know a lot about Whonix, but I do know a bit about other similar
>> projects, and most have stopped moving forward in any real way.
>>
>> pfSense has huge advantages as a platform over these other systems:
>>
>> 1.  it has a significant install base that they don't
>>
>> 2.  pfsense didn't try to be all things to all people when it launched,
>> but it has scaled to do more in time, as appropriate, with a solid
>> framework.
>>
>>>>
>>>> Beyond that, pfSense can do things that we haven't even thought of
>>>> yet. one thing I've discussed with adrelanos is a Tor-friendly ISP
>>>> that could provide a Tor gateway that will forcibly torify all
>>>> communications. Some other very important use cases are:
>>>>
>>>> * Making it easy for someone to conceal the location of a Tor hidden
>>>> service, even if it gets rooted (which Whonix theoretically could do).
>>>>
>>>> * Making it easy for someone to run a Tor relay or bridge.
>>>>
>>>> And more!
>>>>
>>>> On Wed, Jun 26, 2013 at 3:57 PM, Brian Callahan <bcallah at devio.us> wrote:
>>>>> On 06/26/13 15:45, badon wrote:
>>>>>>
>>>>>> The mention of PBI's is interesting, because I just installed PCBSD too,
>>>>>> and I think that's what PCBSD uses.
>>>>>
>>>>>
>>>>> Makes sense, as both are based off FreeBSD ;-) The PBI is a PCBSD invention,
>>>>> but afaik the framework (though not necessarily the individual PBI packages)
>>>>> will work on any FreeBSD-based system, including vanilla FreeBSD.
>>>>>
>>>>>
>>>>>> There is already a PBI in PCBSD, but I'm not sure if that's suitable for
>>>>>> Pfsense or not.
>>>>>
>>>>>
>>>>> I would say "probably not" to this. But the mechanism for generating a
>>>>> suitable PBI for pfsense should be similar if not identical to PCBSD (if you
>>>>> know how to do that).
>>>>>
>>>>> Otherwise - consider this a bump to George for making a pfsense Tor PBI :)
>>
>> So, yeah, this has been on my list for a while, and I know there's
>> interest in it.
>>
>> I will be looking at it more seriously in the next week or so.  In the
>> meantime, try going to the pfsense shell and typing "pkg_add -r tor" or
>> tor-devel.  I think devel is fine.
>>
>> I'll need to go back to the xml configs and start reworking.
>>
>> Despite the long torrc file, there's only really a handful of config
>> options necessary, so a basic operational config isn't that hard.
>>
>> Adding hidden services, etc., might be later goals, but to me the goal
>> should be a simple bridge or relay that any user could just setup in a
>> few minutes.
>>
>> The number you can toss around is this:  if there were 100,000 known
>> pfSense installs in November 2011, 2% of them running a bridge or relay
>> would have an enormous impact on the Tor network, which only has about
>> 3700 public relays at the moment, plus somewhere under 2000 known bridges.
>>
>> Another important impact is on the current Linux monoculture.  The vast
>> majority of Tor nodes are Linux by a long shot.  Bumping up the FreeBSD
>> numbers, at least, would breakup that issue to an extent.
>>
>> g
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk



More information about the talk mailing list