[Tor-BSD] Tor relay guide input

Shawn Webb shawn.webb at hardenedbsd.org
Fri Jan 12 10:15:51 EST 2018


On Fri, Jan 12, 2018 at 03:07:00PM +0000, George Rosamond wrote:
> nusenu:
> > 
> > 
> > George Rosamond:
> >> The Tor Project is assembling a general guide/brochure for configuring
> >> relays.
> >>
> >> https://trac.torproject.org/projects/tor/wiki/TorRelayGuide
> >>
> >> Clearly, a lot of BSD-related information needs updating, and
> >> NetBSD/Dragonfly should be added. 
> > 
> > Would you volunteer to become the maintainer of those operating systems?
> > (I didn't add them because I believe that people using them will not have a 
> > hard time installing tor and I have already 8 others to keep an eye on)
> > 
> 
> I will see what I can do on this...
> 
> >> Lots of *BSD related information is
> >> missing and/or inaccurate.
> > 
> > Can you say more about what is inaccurate about the installation steps 
> > for FreeBSD and HardenedBSD?
> 
> I don't know much about HardenedBSD and it userland differences with
> FreeBSD, if any, but there are "automatic package updates supported"
> with FreeBSD with pkg(8)

`pkg upgrade` is cronnable, so both FreeBSD and HardenedBSD could
perform automatic (and unattended) package upgrades via a cronjob. And
with that, all the boxes in the grid linked to at [1] should be green
for FreeBSD and HardenedBSD.

On HardenedBSD 11-STABLE/amd64, Tor is compiled with SafeStack. On
HardenedBSD 12-CURRENT/amd64, Tor is compiled with both SafeStack and
CFI with the cfi-icall scheme disabled. We're the only OS to ship Tor
with those exploit mitigations enabled.

> 
> The other inaccuracies are about OpenBSD which does release binaries
> usually within 24 hours of a port update, and the port updates are very
> quick (ty, Pascal), pkg updates can be easily automated and binary
> updates for the base OS are supported on -stable with syspatch(8).
> 
> What is exactly meant by "multi-instance support"? Running multiple Tor
> daemons?  (the language of the cloud invading operating systems...)

Multi-instance Tor (running multiple Tor daemons) is easy on FreeBSD
and HardenedBSD. The rc script supports it natively. Additionally, one
can run multiple jails, each with their own Tor instance (this is what
Emerald Onion does). I'm sure OpenBSD could use chroot.

[1]: https://twitter.com/nusenu_/status/948588580032712704

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20180112/a6ce1d33/attachment.bin>


More information about the Tor-BSD mailing list