Delivery-Date: Fri, 25 Jul 2014 03:27:09 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D66F91E0E17
	for <archiver@seul.org>; Fri, 25 Jul 2014 03:27:07 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 33C2C2FF26;
	Fri, 25 Jul 2014 07:27:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 255C02FE3D
 for <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 07:24:34 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id bINtw5JFW9eS for <tor-talk@lists.torproject.org>;
 Fri, 25 Jul 2014 07:24:34 +0000 (UTC)
Received: from patternsinthevoid.net (greyarea.patternsinthevoid.net
 [106.187.37.158])
 by eugeni.torproject.org (Postfix) with ESMTP id A138B2F7A9
 for <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 07:24:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by patternsinthevoid.net (Postfix) with ESMTP id 1BD463A141A
 for <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 07:24:30 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at patternsinthevoid.net
Received: from patternsinthevoid.net ([127.0.0.1])
 by localhost (greyarea.patternsinthevoid.net [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id 5vYsbowgqPo3 for <tor-talk@lists.torproject.org>;
 Fri, 25 Jul 2014 07:24:25 +0000 (UTC)
Date: Fri, 25 Jul 2014 07:24:10 +0000
From: isis <isis@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20140725072410.GM7899@patternsinthevoid.net>
References: <53D0A151.6030801@tengu.ch> <20140724093138.GC5476@loar>
 <53D0ECB9.7040205@451f.org> <53D0F5C9.6090509@tengu.ch>
 <53D1102B.4060806@451f.org> <53D12334.4080702@tengu.ch>
MIME-Version: 1.0
In-Reply-To: <53D12334.4080702@tengu.ch>
X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt
X-Louis-Lingg: In this hope do I say to you I despise you. I despise your
 order, your laws, your force-propped authority. Hang me for it!
Subject: Re: [tor-talk] Android app: Torrific
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============8907286605702355583=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============8907286605702355583==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="B9BE8dkJ1pIKavwa"
Content-Disposition: inline


--B9BE8dkJ1pIKavwa
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

CJ transcribed 2.5K bytes:
>=20
> On 07/24/2014 03:54 PM, u wrote:
> > CJ:
> >> On 07/24/2014 01:23 PM, u wrote:
> >>> Lunar:
> >>>> CJ:
> >>>>> Just a small announce (not sure if this is the right ML, sorry).
> >>>>> I'm developing an Android app allowing to block all IP traffic, and
> >>>>> force only selected app through Orbot.
> >>>>> This is done because neither Orbot nor AFWall (or other free, opens=
ource
> >>>>> Android iptables managment interface) seem to be able to do that=E2=
=80=A6
> >>>> Orbot is free software. Isn't there a way to add the needed features
> >>>> directly to it?
> >>>>
> >>>> Sorry if it's a naive question, I'm not very knowledgable regarding
> >>>> Android. But I know that asking our users to install 3 different app=
s or
> >>>> even more is not friendly.
> >>> AFAIK this works in Orbot if you have a rooted Android device.
> >> Not the "block all other output" part in fact :)
> > That said, I am also interested in your answer to Lunar's question :)
> > Why not contribute to Orbot instead?
> >
> > Cheers!
> It's possible I push some pull-request later, yes.
> But, as said in some previous email, I'm not really sure it's Orbot job
> to set up firewall=E2=80=A6 I rather prefer dedicated app for dedicated t=
ask =E2=80=94
> Orbot main task is, for me, connecting to Tor network=E2=80=A6 Basically,=
 this
> just doesn't involve the firewall at all.
>=20
> But yeah, I know, users like "all-in-one apps" =E2=80=94 who knows, once
> torrific is ready (i.e. no more broken rules, no more bugs like "craps,
> network's broken")=E2=80=A6 the devs may get some PR ;).
> Torrific is also, for me, a way to play with android without annoying
> other applications.
>=20
> To be honest, I'd rather contribute this function in AFWall than Orbot,
> as it already is a firewall manager (and not a bad one).
>=20
> Cheers,
>=20
> C.

I agree that this should be done outside Orbot, for several reasons that I'm
not going to get dragged into again. And FWIW, Mike's blog post on Android
security specifically recommends setting up DroidWall (a similar AOS
iptables-based firewall app) with some bash scripts to log and deny all lea=
ky
traffic from Orbot.

My primary concern would be regarding whether Torrific's iptables rules are
applied ASAP after Orbot starts Tor, and I actually can't recommend anything
there (short of building a new initramfs which enforces starting the firewa=
ll
=66rom there, early during the boot process).

DroidWall already has a mechanism for running user-specified scripts at
startup... Perhaps the most portable way to do what you're trying to do wou=
ld
be to add a similar script-sourcing mechanism to AFWall? Then you could sim=
ply
maintain a repo of startup scripts which (hopefully) work for any Android
firewall app which supports this mechanism.

--=20
 =E2=99=A5=E2=92=B6 isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

--B9BE8dkJ1pIKavwa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQMhBAEBCgELBQJT0gYaBYMB4TOAVhSAAAAAACUAKGlzaXMrc2lnbnN1YmtleUBw
YXR0ZXJuc2ludGhldm9pZC5uZXRGQzYzQUE1Q0QxOTM4NjlDMzIzNzE0NUE1QzE3
Nzc2RTI3RjdFODRESxSAAAAAABoAKGlzaXNAcGF0dGVybnNpbnRoZXZvaWQubmV0
MEE2QTU4QTE0QjU5NDZBQkRFMThFMjA3QTNBREI2N0EyQ0RCOEIzNS4aaHR0cHM6
Ly9ibG9nLnBhdHRlcm5zaW50aGV2b2lkLm5ldC9wb2xpY3kudHh0LJhodHRwczov
L2Jsb2cucGF0dGVybnNpbnRoZXZvaWQubmV0L2lzaXMudHh0AAoJEFwXd24n9+hN
6OAP/R1DQDnjLCiU+CPW1g6IDSzO4N0hCCbfidZr/nzmPNYwvemKpTtA6hqtw/m5
ETThAJONmiKujR8JiplhPJ2+znSbfvSJU5jAuVmnefQHKwTFJ3k+TkASyyP3fzIQ
OTteI2CoOn96d4m6HJxRTv1Fs/MiH00SjmCczBHtyNTIS23t2xWrpW6O5iOwOVmm
xeFVCpE2I89P1i3IKUWPX7xQiNn+xY7vCCMS/KIZ21IGO4UFFvFTrQ2QBM3R2ij9
UiiaD8KBXPpCLEG9slI07lI2bMeEaQYIwW7xYYXR6py6neBbHDPpX7q512QN4cQm
ZsSxmKPfCzbwC+YuOqXLQtCZWNzJQGa/GC1+xtn5h6tG4dG+zt9xx93nHbZ5Si5R
pNo1F7bc0AJ2XYT7U8x5hhQGxT8TqdynZf/tKZGS3UlCl3cyUYuBQkW15hiMOp96
te1qCRcGdCnjktZgRee1Gmq7b9cDJbJNr9JabTYqYPWfUOkxNlVrxyLgdNEyfxph
fE/LoVUGFU+i8DSo8LJrNDJI/MQ4AiSmYbVbGDYRVuFS3X5aCpIIDbO2zZGpmUNb
qmwH4vGBp+r2fm8DawCT/0LoXKfjmpYAcNzO/wUZjK6c3SajD20wqAZbhPT3EWDy
1msCBRp8335WHK9C3L8BasENFpprSIVaNlnED8IwMAijhOGv
=E/DZ
-----END PGP SIGNATURE-----

--B9BE8dkJ1pIKavwa--

--===============8907286605702355583==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============8907286605702355583==--

