|
|
[[PageOutline]]
|
|
|
|
|
|
# The Tor Browser SmartOS Sandboxing Guide
|
|
|
|
|
|
This page provides instructions for sandboxing the Linux build of Tor Browser Bundle using the [SmartOS hypervisor](https://wiki.smartos.org/display/DOC/Home) with the [IllumOS kernel](https://wiki.illumos.org/display/illumos/illumos+Home) such that the Browser is only able to access the `SocksPort` of a `tor` instance running in another security domain. We make use of native Solaris [zones](https://wiki.smartos.org/display/DOC/Zones) for running `tor` and a firewall, and Solaris' [Linux-Branded Zones](https://wiki.smartos.org/display/DOC/LX+Branded+Zones) (which emulate Linux system calls, and can run both x86 32-bit and 64-bit Linux binaries) for running Tor Browser. We also provide instructions for using the browser-based NoVNC client to access the sandboxed Tor Browser (eg, from another Tor Browser running locally).
|
|
|
|
|
|
**The Linux Tor Browser binary runs just fine in a Linux zone on Solaris/SmartOS!**
|
|
|
|
|
|
Our sandbox environment will have several components which will each be in their own zone. The Tor Browser will run with a X server created by vnc4server. A stealth authenticated onion service will expose an HTTP service via noVNC which will serve an HTML5 VNC client to the browser and it will connect to the zone running the Tor Browser vnc4server.
|
|
|
|
|
|
5 zones:
|
|
|
|
|
|
* firewall which performs filtering and NAT
|
|
|
* tor instance for Tor Browser
|
|
|
* tor instance for onion service (pointing at noVNC webserver)
|
|
|
* Tor Browser + vnc4server
|
|
|
* the webserver component of noVNC
|
|
|
|
|
|
## why?
|
|
|
|
|
|
* use of dtrace
|
|
|
* use of ZFS to take snapshots and rollback to previous snapshots
|
|
|
* if the browser is exploited, it won't be allowed to make non-tor connections (ala Whonix, Qubes, etc)
|
|
|
* superior isolation than Linux containers
|
|
|
* less overhead than Linux virtualization
|
|
|
* remote execution vulnerability not likely to exploit kernel since we aren't running the Linux kernel
|
|
|
|
|
|
## global zone configuration
|
|
|
|
|
|
I recommend that the global zone have several changes such as disabling ssh password login, changing the ssh listening port and using strict firewall rules.
|
|
|
|
|
|
my **/usbkey/config** looks like this:
|
|
|
```
|
|
|
admin_nic=MM:MM:MM:MM:MM:MM
|
|
|
admin_ip=dhcp
|
|
|
headnode_default_gateway=none
|
|
|
dns_resolvers=8.8.8.8,8.8.4.4
|
|
|
dns_domain=computer
|
|
|
ntp_hosts=0.pool.ntp.org
|
|
|
hostname=computer
|
|
|
root_authorized_keys_file=authorized_keys
|
|
|
etherstub="switch0"
|
|
|
```
|
|
|
|
|
|
firewall rules in **/etc/ipf/ipf.conf**; you'll have to change the rule for your DNS resolver IPv4 address and I also recommend that you not use ssh port 22 but instead pick a high port number:
|
|
|
```
|
|
|
#
|
|
|
# ipf.conf
|
|
|
#
|
|
|
# IP Filter rules to be loaded during startup
|
|
|
#
|
|
|
# See ipf(4) manpage for more information on
|
|
|
# IP Filter rules syntax.
|
|
|
|
|
|
#
|
|
|
# this ipf ruleset is intended to be used with SmartOS
|
|
|
|
|
|
# OUTBOUND rules
|
|
|
|
|
|
# allow dns out to DDD.DDD.DDD.DDD
|
|
|
pass out quick on vioif0 proto tcp from any to DDD.DDD.DDD.DDD port = 53 flags S keep state
|
|
|
pass out quick on vioif0 proto udp from any to DDD.DDD.DDD.DDD port = 53 keep state
|
|
|
|
|
|
# DHCP
|
|
|
# Allow access to ISP's specified DHCP server for cable or DSL networks.
|
|
|
# Use the first rule, then check log for the IP address of DHCP server.
|
|
|
# Then, uncomment the second rule, replace z.z.z.z with the IP address,
|
|
|
# and comment out the first rule
|
|
|
pass out log quick on vioif0 proto udp from any to any port = 67 keep state
|
|
|
#pass out quick on vioif0 proto udp from any to z.z.z.z port = 67 keep state
|
|
|
|
|
|
# Allow HTTP and HTTPS
|
|
|
pass out quick on vioif0 proto tcp from any to any port = 80 flags S keep state
|
|
|
pass out quick on vioif0 proto tcp from any to any port = 443 flags S keep state
|
|
|
|
|
|
# Allow ssh
|
|
|
pass out quick on vioif0 proto tcp from any to any port = 46341 flags S keep state
|
|
|
|
|
|
# Allow NTP
|
|
|
pass out quick on vioif0 proto tcp from any to any port = 37 flags S keep state
|
|
|
|
|
|
# Allow ping
|
|
|
pass out quick on vioif0 proto icmp from any to any icmp-type 8 keep state
|
|
|
|
|
|
# Block and log everything else
|
|
|
block out log first quick on vioif0 all
|
|
|
|
|
|
# INCOMING rules
|
|
|
|
|
|
# BLOCKING rules
|
|
|
|
|
|
# Block all inbound traffic from non-routable or reserved address spaces
|
|
|
block in quick on vioif0 from 192.168.0.0/16 to any #RFC 1918 private IP
|
|
|
block in quick on vioif0 from 172.16.0.0/12 to any #RFC 1918 private IP
|
|
|
#block in quick on vioif0 from 10.0.0.0/8 to any #RFC 1918 private IP
|
|
|
block in quick on vioif0 from 127.0.0.0/8 to any #loopback
|
|
|
block in quick on vioif0 from 0.0.0.0/8 to any #loopback
|
|
|
block in quick on vioif0 from 169.254.0.0/16 to any #DHCP auto-config
|
|
|
block in quick on vioif0 from 192.0.2.0/24 to any #reserved for docs
|
|
|
block in quick on vioif0 from 204.152.64.0/23 to any #Sun cluster interconnect
|
|
|
block in quick on vioif0 from 224.0.0.0/3 to any #Class D & E multicast
|
|
|
|
|
|
# Block fragments and too short tcp packets
|
|
|
block in quick on vioif0 all with frags
|
|
|
block in quick on vioif0 proto tcp all with short
|
|
|
|
|
|
# block source routed packets
|
|
|
block in quick on vioif0 all with opt lsrr
|
|
|
block in quick on vioif0 all with opt ssrr
|
|
|
|
|
|
# Block OS fingerprint attempts and log first occurrence
|
|
|
block in log first quick on vioif0 proto tcp from any to any flags FUP
|
|
|
|
|
|
# Block anything with special options
|
|
|
block in quick on vioif0 all with ipopts
|
|
|
|
|
|
# Block public pings and ident
|
|
|
block in quick on vioif0 proto icmp all icmp-type 8
|
|
|
block in quick on vioif0 proto tcp from any to any port = 113
|
|
|
|
|
|
# Block incoming Netbios services
|
|
|
block in log first quick on vioif0 proto tcp/udp from any to any port = 137
|
|
|
block in log first quick on vioif0 proto tcp/udp from any to any port = 138
|
|
|
block in log first quick on vioif0 proto tcp/udp from any to any port = 139
|
|
|
block in log first quick on vioif0 proto tcp/udp from any to any port = 81
|
|
|
|
|
|
# ALLOW rules
|
|
|
|
|
|
## Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
|
|
|
## the same IP address used in the outbound section.
|
|
|
#pass in quick on vioif0 proto udp from z.z.z.z to any port = 68 keep state
|
|
|
pass in quick on vioif0 proto udp from any to any port = 68 keep state
|
|
|
|
|
|
# Allow SSH
|
|
|
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags
|
|
|
|
|
|
# Block and log only first occurrence of all remaining traffic.
|
|
|
block in log first quick on vioif0 all
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## creation of zones
|
|
|
|
|
|
Read the SmartOS documentation on [zone image management](https://wiki.smartos.org/display/DOC/Managing+Images).
|
|
|
We create Solaris and Linux zones using the latest SmartOS zone images available:
|
|
|
|
|
|
```
|
|
|
imgadm avail | grep debian-8 | grep lx-dataset | tail -n 1
|
|
|
445d04f4-cad6-11e5-a1a0-9f6c0ce02707 debian-8 20160204 linux lx-dataset 2016-02-04
|
|
|
|
|
|
imgadm avail |grep base-64-lts | tail -n 1
|
|
|
96bcddda-beb7-11e5-af20-a3fb54c8ae29 base-64-lts 15.4.0 smartos zone-dataset 2016-01-19
|
|
|
|
|
|
imgadm import 445d04f4-cad6-11e5-a1a0-9f6c0ce02707
|
|
|
imgadm import 96bcddda-beb7-11e5-af20-a3fb54c8ae29
|
|
|
```
|
|
|
|
|
|
These two image IDs will be specified in our zone manifests.
|
|
|
Refer to [creating zones with SmartOS](https://wiki.smartos.org/display/DOC/How+to+create+a+zone+%28+OS+virtualized+machine+%29+in+SmartOS) for more information.
|
|
|
|
|
|
|
|
|
## firewall zone
|
|
|
|
|
|
create a **firewall.json** file where public IPv4 address is **XXX.XXX.XXX.XXX** and the gateway is **YYY.YYY.YYY.YYY** :
|
|
|
```
|
|
|
{
|
|
|
"alias": "firewall",
|
|
|
"hostname": "firewall",
|
|
|
"brand": "joyent",
|
|
|
"max_physical_memory": 500,
|
|
|
"dataset_uuid": "96bcddda-beb7-11e5-af20-a3fb54c8ae29",
|
|
|
"default_gateway": "YYY.YYY.YYY.YYY",
|
|
|
"nics": [
|
|
|
{
|
|
|
"nic_tag": "admin",
|
|
|
"ip": "XXX.XXX.XXX.XXX",
|
|
|
"netmask": "255.255.254.0",
|
|
|
"allow_ip_spoofing": "1",
|
|
|
"gateway": "YYY.YYY.YYY.YYY",
|
|
|
"primary": "1"
|
|
|
},
|
|
|
{
|
|
|
"nic_tag": "switch0",
|
|
|
"ip": "10.0.0.1",
|
|
|
"netmask": "255.255.255.0",
|
|
|
"allow_ip_spoofing": "1",
|
|
|
"gateway": "10.0.0.1"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
create the zone:
|
|
|
```
|
|
|
vmadm create -f firewall.json
|
|
|
```
|
|
|
|
|
|
|
|
|
login
|
|
|
```
|
|
|
vmadm list
|
|
|
UUID TYPE RAM STATE ALIAS
|
|
|
5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3 OS 500 running firewall
|
|
|
|
|
|
login 5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3
|
|
|
[Connected to zone '5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3' pts/13]
|
|
|
Last login: Fri Mar 4 10:33:05 on pts/13
|
|
|
__ . .
|
|
|
_| |_ | .-. . . .-. :--. |-
|
|
|
|_ _| ;| || |(.-' | | |
|
|
|
|__| `--' `-' `;-| `-' ' ' `-'
|
|
|
/ ; Instance (base-64-lts 15.4.0)
|
|
|
`-' https://docs.joyent.com/images/smartos/base
|
|
|
|
|
|
[root@firewall ~]#
|
|
|
```
|
|
|
|
|
|
firewall NAT configuration in **/etc/ipf/ipfnat.conf**
|
|
|
```
|
|
|
ipfnat.conf
|
|
|
map net0 10.0.0.2/24 -> 0/32 portmap tcp/udp auto
|
|
|
map net0 10.0.0.2/24 -> 0/32
|
|
|
```
|
|
|
|
|
|
firewall filtering in **/etc/ipf/ipf.conf**
|
|
|
```
|
|
|
block out from 10.0.0.13/32
|
|
|
block in from 10.0.0.13/32
|
|
|
```
|
|
|
|
|
|
**/opt/custom/bin/net-setup**
|
|
|
```
|
|
|
|
|
|
ipnat -v -f /etc/ipf/ipfnat.conf
|
|
|
|
|
|
```
|
|
|
|
|
|
**/opt/custom/smf/net-setup.xml**
|
|
|
```
|
|
|
<?xml version="1.0"?>
|
|
|
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
|
|
|
|
|
|
<service_bundle type='manifest' name='site:net-setup'>
|
|
|
<service name='site/net-setup' type='service' version='1'>
|
|
|
<create_default_instance enabled='true' />
|
|
|
<single_instance />
|
|
|
<dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
|
|
|
<service_fmri value='svc:/network/physical'/>
|
|
|
</dependency>
|
|
|
<dependency name='filesystem' grouping='require_all' restart_on='none' type='service'>
|
|
|
<service_fmri value='svc:/system/filesystem/local'/>
|
|
|
</dependency>
|
|
|
|
|
|
<exec_method type='method' name='start' exec='/opt/custom/bin/net-setup' timeout_seconds='0' />
|
|
|
<exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />
|
|
|
|
|
|
<property_group name='startd' type='framework'>
|
|
|
<propval name='duration' type='astring' value='transient' />
|
|
|
</property_group>
|
|
|
|
|
|
<stability value='Unstable' />
|
|
|
</service>
|
|
|
</service_bundle>
|
|
|
```
|
|
|
|
|
|
|
|
|
```
|
|
|
routeadm -u -e ipv4-forwarding
|
|
|
svcadm enable route
|
|
|
svcadm enable ipfilter
|
|
|
svccfg import /opt/custom/smf/net-setup.xml
|
|
|
ipf -Fa -f /etc/ipf/ipf.conf
|
|
|
ipnat -f /etc/ipf/ipfnat.conf
|
|
|
```
|
|
|
|
|
|
|
|
|
## onion tor zone
|
|
|
|
|
|
This zone will run tor for our onion service.
|
|
|
We could use a Solaris or Linux zone since tor works in either one.
|
|
|
Here I'll describe how I do it with the latest Linux debian-8 zone:
|
|
|
|
|
|
**lx-onion-tor.json**
|
|
|
```
|
|
|
{
|
|
|
"alias": "lx-onion-tor",
|
|
|
"brand": "lx",
|
|
|
"kernel_version": "3.13.0",
|
|
|
"max_physical_memory": 400,
|
|
|
"quota": 10,
|
|
|
"image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
|
|
|
"resolvers": ["8.8.8.8","8.8.4.4"],
|
|
|
"nics": [
|
|
|
{
|
|
|
"nic_tag": "switch0",
|
|
|
"ip": "10.0.0.10",
|
|
|
"netmask": "255.255.255.0",
|
|
|
"gateway": "10.0.0.1"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
```
|
|
|
vmadm create -f lx-onion-tor.json
|
|
|
vmadm list
|
|
|
UUID TYPE RAM STATE ALIAS
|
|
|
5b2707ac-6175-45b4-d618-92802e3870fd LX 400 running lx-onion-tor
|
|
|
5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3 OS 500 running firewall
|
|
|
```
|
|
|
|
|
|
update and upgrade
|
|
|
```
|
|
|
zlogin 5b2707ac-6175-45b4-d618-92802e3870fd
|
|
|
apt-get update
|
|
|
apt-get upgrade
|
|
|
apt-get install tor
|
|
|
```
|
|
|
|
|
|
|
|
|
setup our torrc with our stealth authenticated onion service
|
|
|
by adding these lines to **/etc/tor/torrc**
|
|
|
```
|
|
|
HiddenServiceDir /var/lib/tor/hidden_service/
|
|
|
HiddenServiceAuthorizeClient stealth client1
|
|
|
HiddenServicePort 6001 10.0.0.8:6001
|
|
|
```
|
|
|
|
|
|
```
|
|
|
systemctl restart tor
|
|
|
```
|
|
|
|
|
|
After tor starts and uploads the onion service descriptors you can look in the **/var/lib/tor/hidden_service/**
|
|
|
and retrieve your client token and onion address. You'll have to add this information into your client torrc
|
|
|
to be able to connect to this onion service; like this:
|
|
|
|
|
|
```
|
|
|
HidServAuth <ONION> <SECRET_TOKEN>
|
|
|
```
|
|
|
|
|
|
|
|
|
## onion vnc server
|
|
|
|
|
|
This zone will run the noVNC http server which acts as a VNC client.
|
|
|
|
|
|
lx-noVNC.json:
|
|
|
```
|
|
|
{
|
|
|
"alias": "lx-noVNC",
|
|
|
"brand": "lx",
|
|
|
"kernel_version": "3.13.0",
|
|
|
"max_physical_memory": 400,
|
|
|
"quota": 10,
|
|
|
"image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
|
|
|
"resolvers": ["8.8.8.8","8.8.4.4"],
|
|
|
"nics": [
|
|
|
{
|
|
|
"nic_tag": "switch0",
|
|
|
"ip": "10.0.0.8",
|
|
|
"netmask": "255.255.255.0",
|
|
|
"gateway": "10.0.0.1"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
|
|
|
create the new noVNC zone
|
|
|
```
|
|
|
vmadm create -f lx-noVNC.json
|
|
|
zlogin <UUID>
|
|
|
adduser human
|
|
|
exit
|
|
|
zlogin -l human <UUID>
|
|
|
git clone https://github.com/kanaka/noVNC.git
|
|
|
cd noVNC/
|
|
|
```
|
|
|
|
|
|
before starting it let's remind ourselves which LAN IPv4 address to bind to
|
|
|
|
|
|
```
|
|
|
ip a
|
|
|
|
|
|
1: lo: <LOOPBACK,MULTICAST,UP> mtu 8232
|
|
|
link/loopback 00:00:00:00:00:00
|
|
|
inet 127.0.0.1/8 scope host dynamic
|
|
|
inet6 ::1/128 scope host dynamic
|
|
|
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1
|
|
|
link/ether 22:d5:0a:f1:06:83
|
|
|
inet 10.0.0.8/24 scope site dynamic
|
|
|
inet6 fe80::20d5:aff:fef1:683/10 scope link dynamic
|
|
|
```
|
|
|
|
|
|
in a shell owned by ``human`` we run the client
|
|
|
```
|
|
|
git clone https://github.com/kanaka/noVNC.git
|
|
|
cd noVNC/
|
|
|
./utils/launch.sh --vnc 10.0.0.7:5901 --listen 6001
|
|
|
```
|
|
|
|
|
|
that last command launches the web based vnc client and outputs like this
|
|
|
```
|
|
|
Warning: could not find self.pem
|
|
|
Using installed websockify at /usr/bin/websockify
|
|
|
Starting webserver and WebSockets proxy on port 6080
|
|
|
WebSocket server settings:
|
|
|
- Listen on :6080
|
|
|
- Flash security policy server
|
|
|
- Web server. Web root: /home/human/noVNC
|
|
|
- No SSL/TLS support (no cert file)
|
|
|
- proxying from :6080 to localhost:5901
|
|
|
|
|
|
|
|
|
Navigate to this URL:
|
|
|
|
|
|
http://72f04310-1615-ea7a-c415-d281550512bd:6080/vnc.html?host=72f04310-1615-ea7a-c415-d281550512bd&port=6080
|
|
|
|
|
|
Press Ctrl-C to exit
|
|
|
```
|
|
|
|
|
|
we must modify the above URL to this form
|
|
|
```
|
|
|
http://<ONION>:6080/vnc.html?host=<ONION>&port=6080
|
|
|
```
|
|
|
|
|
|
next we need to setup our tor onion service so that we know which onion address to replace <ONION> with.
|
|
|
therefore we must login to our ``onion noVNC`` zone
|
|
|
```
|
|
|
zlogin <UUID>
|
|
|
cat /var/lib/tor/hidden_service/hostname
|
|
|
ONION
|
|
|
```
|
|
|
|
|
|
|
|
|
Previously we talked about the onion tor zone... you retrieve connecting information from that zone as previously described as
|
|
|
utilize the onion address like this to fromulate a URL that connects to your sandbox!
|
|
|
```
|
|
|
http://<ONION>:6080/vnc.html?host=<ONION>&port=6001
|
|
|
```
|
|
|
|
|
|
Save this URL... we'll need it later after we've configured our VNC server.
|
|
|
|
|
|
|
|
|
## setup Tor zone that TBB will use
|
|
|
|
|
|
create the tor zone
|
|
|
|
|
|
lx-client-tor.json:
|
|
|
```
|
|
|
{
|
|
|
"alias": "lx-client-tor",
|
|
|
"brand": "lx",
|
|
|
"kernel_version": "3.13.0",
|
|
|
"max_physical_memory": 300,
|
|
|
"quota": 10,
|
|
|
"image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
|
|
|
"resolvers": ["8.8.8.8","8.8.4.4"],
|
|
|
"nics": [
|
|
|
{
|
|
|
"nic_tag": "switch0",
|
|
|
"ip": "10.0.0.12",
|
|
|
"netmask": "255.255.255.0",
|
|
|
"gateway": "10.0.0.1"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
```
|
|
|
vmadm create -f lx-client-tor.json
|
|
|
```
|
|
|
|
|
|
login and install tor
|
|
|
|
|
|
```
|
|
|
zlogin <UUID>
|
|
|
apt-get update; update upgrade;
|
|
|
apt-get install tor
|
|
|
```
|
|
|
|
|
|
configure tor to listen on our LAN IPv4 address.
|
|
|
list our interface addresses
|
|
|
```
|
|
|
# ip a
|
|
|
1: lo: <LOOPBACK,MULTICAST,UP> mtu 8232
|
|
|
link/loopback 00:00:00:00:00:00
|
|
|
inet 127.0.0.1/8 scope host dynamic
|
|
|
inet6 ::1/128 scope host dynamic
|
|
|
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1
|
|
|
link/ether f2:93:94:f4:a4:40
|
|
|
inet 10.0.0.12/24 scope site dynamic
|
|
|
inet6 fe80::f093:94ff:fef4:a440/10 scope link dynamic
|
|
|
```
|
|
|
|
|
|
then add the following line to ``/etc/tor/torrc``
|
|
|
```
|
|
|
SocksPort 10.0.0.12:9050
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## setup Tor Browser zone
|
|
|
|
|
|
Actually, this zone could be used to sandbox any Linux or Solaris binaries.
|
|
|
|
|
|
In this zone we'll run vnc4server along with the tor browser.
|
|
|
This is so that tbb will simply be able to use the X server provided
|
|
|
locally by vnc4server via the **DISPLAY** environment variable.
|
|
|
|
|
|
firstly we create the native linux zone, we login and upgrade
|
|
|
|
|
|
lx-tbb-tor.json:
|
|
|
```
|
|
|
{
|
|
|
"alias": "lx-tbb",
|
|
|
"brand": "lx",
|
|
|
"kernel_version": "3.13.0",
|
|
|
"max_physical_memory": 1024,
|
|
|
"quota": 10,
|
|
|
"image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
|
|
|
"resolvers": ["8.8.8.8","8.8.4.4"],
|
|
|
"nics": [
|
|
|
{
|
|
|
"nic_tag": "switch0",
|
|
|
"ip": "10.0.0.13",
|
|
|
"netmask": "255.255.255.0",
|
|
|
"gateway": "10.0.0.1"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
```
|
|
|
vmadm create -f lx-tbb-tor.json
|
|
|
zlogin <UUID>
|
|
|
apt-get update; apt-get upgrade;
|
|
|
```
|
|
|
|
|
|
setup vnc4server. first we install some dependencies
|
|
|
```
|
|
|
apt-get install binutils libasound-dev libgtk2.0-dev libgtk-3-dev vnc4server fluxbox xterm
|
|
|
```
|
|
|
|
|
|
set a vnc password
|
|
|
```
|
|
|
vnc4passwd
|
|
|
```
|
|
|
|
|
|
start the vnc server
|
|
|
```
|
|
|
vnc4server :1
|
|
|
```
|
|
|
|
|
|
here's my netstat output
|
|
|
```
|
|
|
human@lx-tbb:~/tor-browser_en-US$ netstat -tlpn
|
|
|
(Not all processes could be identified, non-owned process info
|
|
|
will not be shown, you would have to be root to see it all.)
|
|
|
Active Internet connections (only servers)
|
|
|
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
|
|
|
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
|
|
|
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 16503/Xvnc4
|
|
|
tcp6 0 0 :::22 :::* LISTEN -
|
|
|
tcp6 0 0 :::5901 :::* LISTEN 16503/Xvnc4
|
|
|
```
|
|
|
|
|
|
|
|
|
setup tor browser with dtrace.
|
|
|
using the above information, the tor Socks address and port we can now configure our
|
|
|
tbb to use that tor instead of the default launched tor.
|
|
|
|
|
|
login to the tbb zone and start tbb!
|
|
|
```
|
|
|
zlogin -l human <UUID>
|
|
|
TOR_SOCKS_HOST=10.0.0.12 TOR_SOCKS_PORT=9050 TOR_SKIP_LAUNCH=1 DISPLAY=:1 LX_DTRACE=1 ./start-tor-browser.desktop
|
|
|
```
|
|
|
|
|
|
|
|
|
### firewall the tor browser zone
|
|
|
|
|
|
the tor browser zone should not be able to access the Internet directly.
|
|
|
it should only be able to access another zone's socks port where tor is running.
|
|
|
therefore we login to the firewall zone and add a firewall rule to block
|
|
|
the tbb zone's access to the Internet.
|
|
|
|
|
|
add these lines to ``/etc/ipf/ipf.conf``
|
|
|
```
|
|
|
block out from 10.0.0.13/32
|
|
|
block in from 10.0.0.13/32
|
|
|
```
|
|
|
|
|
|
then activate the rules like this
|
|
|
```
|
|
|
ipf -Fa -f /etc/ipf/ipf.conf
|
|
|
``` |
|
|
\ No newline at end of file |