limit the range of target ports #552

New Issue

nyxnor · 2022-10-14T18:49:08Z

nyxnor commented

2022-10-14 18:49:08 +00:00

System: Whonix

Target ports referring to local ports the service will be listening on.

OnionShare for example target ports are 17600-17659, this makes it easy to whitelist target ports on onion-grater. Then it tries a port in that range to see if it is available or not.

However, as Cwtch does not have that yet, I have to allow the ADD_ONION target port to be any port Cwtch requests. Although it works, we, the Whonix community, would prefer a range of ports, in that way, we make sure that Cwtch does not try to bind an onion service to a local port when it shouldn't.

For now, I've had Cwtch bind from ports of numbers ranging from 20k to 40k.

Even if the user is not running Whonix, I believe it has the benefit of protecting Cwtch in some way to bind to port 22 for example. Cwtch probably starts above port 1000 to not require root anyway, but a target range is much better anyway than any unused port.

System: Whonix Target ports referring to local ports the service will be listening on. OnionShare for example target ports are `17600-17659`, this makes it easy to whitelist target ports on onion-grater. Then it tries a port in that range to see if it is available or not. However, as Cwtch does not have that yet, I have to allow the `ADD_ONION` target port to be any port Cwtch requests. Although it works, we, the Whonix community, would prefer a range of ports, in that way, we make sure that Cwtch does not try to bind an onion service to a local port when it shouldn't. For now, I've had Cwtch bind from ports of numbers ranging from 20k to 40k. Even if the user is not running Whonix, I believe it has the benefit of protecting Cwtch in some way to bind to port 22 for example. Cwtch probably starts above port 1000 to not require root anyway, but a target range is much better anyway than any unused port.

sarah added the

bug

tor

labels 2022-10-14 19:06:15 +00:00

nyxnor commented

2022-10-14 20:33:06 +00:00

Another reason on why to make a delimited range of ports is that the Whonix Workstation has to open firewall ports, and opening every port on the system would be bad.

On onionshare for example we only open the required range
https://www.whonix.org/wiki/OnionShare#Firewall_Settings
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

As of now, I have to scrape the onion-grater logs to see which port the service is being binded to and them open the specific firewall port.

Another reason on why to make a delimited range of ports is that the Whonix Workstation has to open firewall ports, and opening every port on the system would be bad. On onionshare for example we only open the required range https://www.whonix.org/wiki/OnionShare#Firewall_Settings `EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "` As of now, I have to scrape the onion-grater logs to see which port the service is being binded to and them open the specific firewall port.

nyxnor commented

2022-10-14 21:39:49 +00:00

http://gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion/openprivacy/bine/src/branch/trunk/control/cmd_onion.go#L160-L165\

	}
	for _, port := range req.Ports {
		cmd += " Port=" + port.Key
		if port.Val != "" {
			cmd += "," + port.Val
		}
	}

I am not familiar with Go, but I assume this is the part that should have the range.

Edit: Whonix docs: https://www.whonix.org/wiki/Dev/Project_friendly_applications_best_practices#Listen_Port

http://gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion/openprivacy/bine/src/branch/trunk/control/cmd_onion.go#L160-L165\ ```go } for _, port := range req.Ports { cmd += " Port=" + port.Key if port.Val != "" { cmd += "," + port.Val } } ``` I am not familiar with Go, but I assume this is the part that should have the range. --- Edit: Whonix docs: https://www.whonix.org/wiki/Dev/Project_friendly_applications_best_practices#Listen_Port

sarah added the

cwtch-beta-1.10

label 2022-10-20 18:57:23 +00:00

sarah added this to the Cwtch Beta (In Progress) project 2022-10-20 18:57:30 +00:00

sarah added the

bugbash

label 2022-10-22 15:56:34 +00:00

sarah removed the

cwtch-beta-1.10

label 2022-11-22 21:06:55 +00:00

sarah added the

whonix

label 2023-03-29 19:33:02 +00:00

sarah added the

stable-blocker

label 2023-08-14 20:40:07 +00:00

sarah modified the project from Cwtch Beta (In Progress) to Stable Blockers

2023-08-14 20:40:22 +00:00

sarah commented

2023-08-16 22:49:12 +00:00

Implemented in: openprivacy/connectivity#47

Initial documentation stub here: https://docs.cwtch.im/docs/platforms/whonix

Implemented in: https://git.openprivacy.ca/openprivacy/connectivity/pulls/47 Initial documentation stub here: https://docs.cwtch.im/docs/platforms/whonix

nyxnor commented

2023-09-02 20:06:01 +00:00

Doc update cwtch.im/docs.cwtch.im#10

Doc update https://git.openprivacy.ca/cwtch.im/docs.cwtch.im/pulls/10

sarah closed this issue

2023-09-19 20:39:55 +00:00

sarah added the

cwtch-beta-1.13

label 2023-09-19 20:46:39 +00:00

Sign in to join this conversation.