From 2c9ec9d89462627c3c5d4976c386973958bf20e0 Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Wed, 16 Aug 2023 10:46:02 -0700 Subject: [PATCH] Clean up and seperate flags --- tor/torProvider.go | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/tor/torProvider.go b/tor/torProvider.go index bdc65e2..35be9a6 100644 --- a/tor/torProvider.go +++ b/tor/torProvider.go @@ -270,14 +270,23 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne var localListener net.Listener var err error - if bineWhonix := os.Getenv("BINE_WHONIX"); strings.ToLower(bineWhonix) == "true" { - if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) { - localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport)) - } + + if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" { // for whonix like systems we tightly restrict possible listen... // pick a random port between 15300 and 15378 // cwtch = 63 *77 *74* 63* 68 = 1537844616 - localport = 15300 + ((localport - 1024) % 78) + log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true"); + localport = 15300 + (localport % 78) + } + + if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" { + if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) { + log.Infof("WARNING: binding to external interfaces. This is potentially unsafe outside of a containerized environment."); + localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport)) + } else { + log.Errorf("CWTCH_BIND_EXTERNAL_WHONIX flag set, but /usr/share/anon-ws-base-files/workstation does not exist. Defaulting to binding to local ports"); + localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport)) + } } else { localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport)) }