limit the range of target ports #552
Labels
No Label
android
arch
backlog
blocked-on-external
bug
bugbash
component/bindings
component/bine
component/connectivity
component/cwtch
component/tapir
component/ui
cwtch-1.14
cwtch-1.15
cwtch-beta-1.1
cwtch-beta-1.10
cwtch-beta-1.11
cwtch-beta-1.12
cwtch-beta-1.13
cwtch-beta-1.2
cwtch-beta-1.3
cwtch-beta-1.4
cwtch-beta-1.5
cwtch-beta-1.5.x
cwtch-beta-1.6
cwtch-beta-1.7
cwtch-beta-1.8
cwtch-beta-1.9
design
duplicate
enhancement
flutter
funding-needed
help wanted
hybrid-groups
in-nightly
in-progress
invalid
ios
linux
mac
need-replication-or-investigation
ops
packaging
post-stable
question
questionable
requires-more-effort-than-we-can-spare
rust
scheduled
stable-blocker
tails
testing-needed
tests
tor
waiting-on-fix-confirmation
waiting-on-new-flutter-feature
whonix
windows
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: cwtch.im/cwtch-ui#552
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
System: Whonix
Target ports referring to local ports the service will be listening on.
OnionShare for example target ports are
17600-17659
, this makes it easy to whitelist target ports on onion-grater. Then it tries a port in that range to see if it is available or not.However, as Cwtch does not have that yet, I have to allow the
ADD_ONION
target port to be any port Cwtch requests. Although it works, we, the Whonix community, would prefer a range of ports, in that way, we make sure that Cwtch does not try to bind an onion service to a local port when it shouldn't.For now, I've had Cwtch bind from ports of numbers ranging from 20k to 40k.
Even if the user is not running Whonix, I believe it has the benefit of protecting Cwtch in some way to bind to port 22 for example. Cwtch probably starts above port 1000 to not require root anyway, but a target range is much better anyway than any unused port.
Another reason on why to make a delimited range of ports is that the Whonix Workstation has to open firewall ports, and opening every port on the system would be bad.
On onionshare for example we only open the required range
https://www.whonix.org/wiki/OnionShare#Firewall_Settings
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "
As of now, I have to scrape the onion-grater logs to see which port the service is being binded to and them open the specific firewall port.
http://gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion/openprivacy/bine/src/branch/trunk/control/cmd_onion.go#L160-L165\
I am not familiar with Go, but I assume this is the part that should have the range.
Edit: Whonix docs: https://www.whonix.org/wiki/Dev/Project_friendly_applications_best_practices#Listen_Port
Implemented in: openprivacy/connectivity#47
Initial documentation stub here: https://docs.cwtch.im/docs/platforms/whonix
Doc update cwtch.im/docs.cwtch.im#10