[Tails-dev] Bridge Firewall Was: Re: VirtualBox host softwar…

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: The Tails public development discussion list
Old-Topics: Re: [Tails-dev] VirtualBox host software vs. networking [Was: Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer]
Subject: [Tails-dev] Bridge Firewall Was: Re: VirtualBox host software vs. networking [Was: Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer]
adev@???:
> I think since tails now supports bridges and obsproxy, then someone
> one day may implement a hardened firewall cd that runs in front of
> tails, and allows only traffic to the bridges the user has
> specified
>
> This would stop an attacker from learning the tails machine real IP
> even if they gained root on the machine, unless they could use a
> *rare* exploit against iptables or pf on the firewall machine (or
> some other attack) A multi machine setup may be less coding work
> for developers than setting up virtualization, and be more secure


What you describe, was sometimes called a bridge firewall. I
considered creating something like this and put it in front of
Whonix-Gateway. (To make a two machine system perhaps an optional
three machine system.)

Unfortunately, it turned out, that once the Tor process has been
compromised, external IP is also compromised because Tor knows it.

I documented this and a few other aspects of such a bridge firewall:
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall