[tor-talk] Securing a Relay - chroot

Martin Fick mogulguy at yahoo.com
Fri May 27 17:47:01 UTC 2011


> > You do not mention the threats you worry about and assets
> > you care about (thread model + security requirements).
>
> Yes that's because I don't know what threats there may be.
> I am a user, I don't have an MS in Computer Science.
> For example I don't understand, "maps subnets and/or ports
> to inside. Separating traffic into VLANs. In general
> having a lot more control of the hardware layer."
>
> What good is this if users can't secure their own machine
> effectively?  Why set up a relay if my own machine could
> be compromised?  No wonder you have a hard time
> recruiting relays, much less exit points.  I guess the
> coyness here is for some good reason, but it's not doing
> the cause any good.  Looks like I have to give up on a relay.

Well, it appears that you do have a threat model in mind.
It seems that you are concerned with people using your
relay to attack your local machines.  Those are valid
concerns, that is the threat model you are hoping to
get advice against.

You have received some advice against it, but you do not
appear to understand this advice, which is fine, please
ask more questions then.

I think that your concerns are valuable, they often
concern me also, and I am sometimes surprised that
others are not concerned about this on their home
networks.  I agree that the tor project could provide
some more advice on dealing with this.

I suspect the reason that you don't see this is because
either most people assume it is just too hard, or to
those for whom it is not too hard, they just know how todo
it and think that it will be too hard to explain to others
(with good reason).  Nevertheless, it might be worth trying.

> Nevertheless it is still necessary to share 192.168.*.*
> with the local LAN.  I want to avoid this

The reason you want to avoid this I suspect is because
you want to prevent someone from owning your relay,
and then attacking the rest of your network from inside
your local hardware firewall (likely a DSL or cable
modem)?  Is that correct?

The solution that I suggested with vservers will allow you
to prevent local network snooping (eavesdropping on packets
not intended for you vserver), but it will not prevent your
vserver from directly attempting to communicate with other
machines (including your host) inside your firewall unless
additional rules are added to your host, likely using
iptables or something like this.  Using lxc you would
likely want those same rules, but perhaps you would need
more to prevent eavesdropping.

It would be nice is someone who has done this could help
write a guide to do this.  If no one has done this yet, I
think that it would be valuable, and perhaps it should even
become recommended practice eventually.

Just my .02 cents,

-Martin




More information about the tor-talk mailing list