Delivery-Date: Tue, 16 Feb 2016 09:15:22 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 017241E03BB;
	Tue, 16 Feb 2016 09:15:21 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 55AE6344B4;
	Tue, 16 Feb 2016 14:15:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 80DEF32C11
 for <tor-talk@lists.torproject.org>; Tue, 16 Feb 2016 14:15:09 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id guy8m2ikIaim for <tor-talk@lists.torproject.org>;
 Tue, 16 Feb 2016 14:15:09 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 8A5A63361A
 for <tor-talk@lists.torproject.org>; Tue, 16 Feb 2016 14:15:08 +0000 (UTC)
Received: from piha.riseup.net (unknown [10.0.1.163])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id B824E1A1F0E
 for <tor-talk@lists.torproject.org>; Tue, 16 Feb 2016 14:15:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1455632105; bh=tWYytLMPC4iND0UpC4CXfP8xW2xSB7gpN4mOM5dcr/U=;
 h=Date:From:To:Subject:In-Reply-To:References:From;
 b=ZhmnW9CUKC/iLxL4MMUeSMxEvPoQ+A5nX8yesh08sWteav4cwtcLM/b+wMLfgRGQW
 1/OPRNHji4FgKsu0hkFo1EZhM8/t007bmLoYn8+kj18Khh2Vb6ERTn5gJyKq0J0aj5
 +weBRgDZbE8J6dXdEevEnd/XCEk+VKEi9CIcC0Zo=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: flipchan) with ESMTPSA id 9EA061C026B
MIME-Version: 1.0
Date: Tue, 16 Feb 2016 15:15:05 +0100
From: flipchan@riseup.net
To: tor-talk@lists.torproject.org
In-Reply-To: <56BDDEB4.1070107@openmailbox.org>
References: <56BDDEB4.1070107@openmailbox.org>
Message-ID: <435f0c7967b357ddc5f305f132cbdfeb@riseup.net>
X-Virus-Scanned: clamav-milter 0.98.7 at mx1.riseup.net
X-Virus-Status: Clean
Subject: Re: [tor-talk] orplug,
 an Android firewall with per-app Tor circuit isolation
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


Thats cool:) who needs a gui, not me ;)

On 2016-02-12 14:31, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> Maybe someone else will find this useful?
> https://github.com/rustybird/orplug
> 
> Rusty
> 
> 
> 
> orplug, an Android firewall with per-app Tor circuit isolation
> 
> Not affiliated with the Tor Project.
> 
> 
>     Short intro
> 
> - - No GUI, please write one ;)
> - - Default deny pretty much everything. Combinable access policies for
>   individual apps, whole Android user accounts, etc.: transparent
>   torification (circuit-isolated per app), fenced off access to Socks/
>   Polipo, LAN access, clearnet access
> - - Multi user account support
> - - Doesn't leak IPv6 traffic
> - - Clean DNS, but requires ANDROID_DNS_MODE=local ROM patch
> - - Logs blocked DNS queries and blocked other packets
> - - Input firewall allows sshd by default
> - - Should work with enforcing SELinux
> - - Includes the "--state INVALID" transproxy leak fix[1]
> - - Tested on CyanogenMod 13 (Android 6.0.1 Marshmallow)
> 
> 
>     Longer intro
> 
> Really no GUI, unfortunately I don't have any talent for that. There's 
> a
> simple plain text configuration format[2] though, and the command line
> "orplug-reconf" script could work as a backend to a graphical app. (It
> accepts stdin as well as files for configuration.)
> 
> Unconfigured processes may only communicate with localhost and the
> loopback interface. You can configure an individual app, a Unix user/
> group, or an Android account:
> 
>   - to be transparently torified, with circuit isolation per rule
>   - to be allowed access to local TCP ports 9050/8118 for native Orbot
>     support
>   - to be allowed LAN access (except DNS)
>   - to be allowed full clearnet access
> 
> All of the above can be combined: Transparently torify a VoIP app as
> far as possible, but allow clearnet access for the remainder (UDP voice
> packets). Or, for a home media streaming app: transparent torification
> with LAN access.
> 
> Rules can apply to the primary Android device user account or to other
> accounts.
> 
> For incoming traffic, every port is blocked to the outside by default.
> But a hook loads files with raw ip(6)tables-restore rulesets, and one
> such ruleset allows TCP port 22 (sshd).
> 
> The init script uses "su -c", which seems to set up everything properly
> SELinux-wise on CM13. I'm not really sure because I don't have a device
> that's able to run in enforcing mode.
> 
> 
>     The DNS mess
> 
> Android 4.3+ mixes DNS requests of all apps together by default[3]; 
> when
> a request finally appears in Netfilter, it's unknown where it came 
> from.
> orplug takes a strict approach and blocks this sludge, so it needs a 
> ROM
> patched[4] to export the environment variable ANDROID_DNS_MODE=local
> during early boot.
> 
> Unfortunately, ANDROID_DNS_MODE=local makes Android send DNS requests 
> to
> 127.0.0.1, instead of the value of the net.dns1 property. Until this is
> somehow fixed, a rule has been added to redirect allowed clearnet IPv4
> DNS traffic to $ClearnetDNS (defaults to Google's 8.8.8.8).
> 
> orplug blocks disallowed DNS requests by sending them to a local 
> dnsmasq
> instance that only logs queries (logcat | grep dnsmasq), but doesn't
> forward them. This is how I noticed that CM13 with "everything 
> disabled"
> nevertheless attempts to connect to the hosts stats.cyanogenmod.org,
> account.cyngn.com, and shopvac.cyngn.com. (Via UID 1000, in this case
> the Settings package.)
> 
> 
>     Captive portals
> 
> Enable clearnet access for either UID 1000 (beware of the random stuff
> apparently floating around there), or for a dedicated browser (and run
> "settings put global captive_portal_detection_enabled 0" as root).
> 
> 
>     Installation
> 
> 0. Set up some independent way to check for leaks, e.g. corridor[5].
>    You've been warned...
> 1. Copy the orplug subdirectory to /data/local/ on your Android device.
>    "chmod 755" 00-orplug, orplug-start, and orplug-reconf (all in
>    /data/local/orplug/bin/).
> 2. Add the line ". /data/local/orplug/bin/00-orplug" (note the dot) to
>    /data/local/userinit.sh and run "chmod 755 userinit.sh".
> 3. Copy the contents of /data/local/orplug/torrc-custom-config.txt into
>    the clipboard, e.g. using File Manager. This file contains 
> directives
>    for tor to open 99 different TransPort and DNSPort ports.
> 4. In Orbot's settings, paste the clipboard contents into "Torrc Custom
>    Config", disable "Transparent Proxying", disable "Request Root
>    Access", and choose "Proxy None" in "Select Apps" (that last one 
> only
>    applies to current prereleases of Orbot).
> 5. Reboot your device.
> 6. Check that orplug has brought the firewall up: The output of
>    "getprop orplug.up" is supposed to say "true". Log files are in
>    /data/local/orplug/debug/ in case it didn't work.
> 7. Configure your apps by creating one ore more .conf file(s) in
>    /data/local/orplug/conf/ (there's a commented user.conf.example[2]).
> 8. Run "su -c /data/local/orplug/bin/orplug-reconf". The output is
>    supposed to say "orplug-reconf: populated". This will happen
>    automatically if you reboot.
> 
> 
>     Footnotes
> 
> 1. "--state INVALID" transproxy leak fix
> https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
> 
> 2. Example orplug configuration
> https://raw.githubusercontent.com/rustybird/orplug/master/orplug/conf/rules/90-user.conf.example
> 
> 3. Explanation of DNS in Android 4.3+
> http://forum.xda-developers.com/showthread.php?t=2386584
> 
> 4. ANDROID_DNS_MODE=local patch (affects only "make bootimage")
> https://raw.githubusercontent.com/rustybird/orplug/master/system-core-ANDROID_DNS_MODE.patch
> 
> 5. corridor, a Tor traffic whitelisting gateway
> https://github.com/rustybird/corridor
> 
> 
>     Redistribution
> 
> orplug is ISC licensed, see the LICENSE file for details.
> -----BEGIN PGP SIGNATURE-----
> 
> iQJ8BAEBCgBmBQJWvd60XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
> NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrflLIP/ip+sQ8Uc9eDIQfSxaYdt8hs
> STyf+q3qrDK6C9tnFu7o3cVlK18E2VJQWJ5CbpDYz6bC2Bw0Hn+fBaNppjeBD3sB
> NZg/Jj4BScoCn9ekt1UDMU1zBjUM0QTOlGHpHz04iaiwGZH5g44oIcI7bcabE4jA
> 16FY/qqsD4zweciIFFa3X3OTCZows+Md+q/9EXWhJJmSlSrnxJKg48iSsrWVWQy5
> i3VpS38iUrFqBPuAiMoGIYKWyS5xij3lxBDs4zHUX2owCmHIamfr5WqdewTCEQhH
> FM8s2u8DENC/6ri9paJ4JhqtbFm4SUi5HzHYTKbP7k7Oi83RI7fBdkI15erln+ND
> Zc+ka1cOP0Eje0X3BKXu1drVwAd1wKPCZQydYV31oe0AgxLPeLn6Ob63Y9DNkwh1
> LwLsT/aTKFVO1Lql8ONUrmIxK4i2KB8VLIL0Vt1b/il4zMwn3XUossFEBhsccr6q
> M7KBvQU6bKUAHmIen6WuVCiCXPOvlX07KsxDXtjUx/NZtChiAPd2LI3OoxrMSdzg
> IcLB8eu2+b+RnlzJ7DcyXKgIcQo7rogbP6N3ICFp8sDeyENBgD4VHdCsNu00doYx
> eWzcNRR5nF1bOYka49S1pwZjfEuWMryVIxBSnH+RMD5J1Mpam92CWc8YzpxNPH6y
> 5eyGTXgvcrwuNtkxepwN
> =vUeN
> -----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

