Clarified and Split Apart Environment Variables that alter port binding behaviour. #47
|
|
@ -10,6 +10,8 @@ A library providing an ACN (Anonymous Communication Network
|
|||
## Environment Variables
|
||||
|
||||
- `TOR_LD_LIBRARY_PATH` - override the library path given to the Tor process as different from the one given to the parent process.
|
||||
- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15000-15378`
|
||||
- `CWTCH_BIND_EXTERNAL_WHONIX` - forces connectivity to bind to external interfaces (only supported/recommended on certain Whonix-based setups. Please open an issue if you think this should be expanded.)
|
||||
|
||||
## Requirements for ACN Support
|
||||
|
||||
|
|
@ -54,4 +56,4 @@ service:
|
|||
acn.Restart()
|
||||
and
|
||||
|
||||
acn.Close()
|
||||
acn.Close()
|
||||
|
|
|
|||
|
|
@ -270,9 +270,22 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
|
|||
|
||||
var localListener net.Listener
|
||||
var err error
|
||||
if bineWhonix := os.Getenv("BINE_WHONIX"); strings.ToLower(bineWhonix) == "true" {
|
||||
|
||||
if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" {
|
||||
|
dan marked this conversation as resolved
|
||||
// for whonix like systems we tightly restrict possible listen...
|
||||
// pick a random port between 15000 and 15378
|
||||
// cwtch = 63 *77 *74* 63* 68 = 1537844616
|
||||
|
dan marked this conversation as resolved
dan
commented
dont understand this line dont understand this line
sarah
commented
I had to pick a subrange of ports (technically we could allow these to be configurable, but the additional complexity does not seem worth it atm), and this how I arrived at the top range. I had to pick a subrange of ports (technically we could allow these to be configurable, but the additional complexity does not seem worth it atm), and this how I arrived at the top range.
|
||||
log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true");
|
||||
|
dan marked this conversation as resolved
dan
commented
since its not a specified range, why not call it WHONIX_PORTS since thats what it is since its not a specified range, why not call it WHONIX_PORTS since thats what it is
sarah
commented
there are other possible usecases for this flag e.g. any containerized OS, not just whonix. there are other possible usecases for this flag e.g. any containerized OS, not just whonix.
|
||||
localport = 15000 + (localport % 378)
|
||||
}
|
||||
|
||||
if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" {
|
||||
if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
|
||||
log.Infof("WARNING: binding to external interfaces. This is potentially unsafe outside of a containerized environment.");
|
||||
localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
|
||||
} else {
|
||||
log.Errorf("CWTCH_BIND_EXTERNAL_WHONIX flag set, but /usr/share/anon-ws-base-files/workstation does not exist. Defaulting to binding to local ports");
|
||||
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
|
||||
}
|
||||
} else {
|
||||
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
|
||||
|
|
@ -298,6 +311,8 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// We need to set os.ID here, otherwise os.Close() may not shut down the onion service properly...
|
||||
os.ID = onion
|
||||
os.CloseLocalListenerOnClose = true
|
||||
|
||||
ols := &onionListenService{os: os, tp: tp}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
from the docs i thought i could specify the range on the cmd line. can't we just change this to an
.exists()check as a flag? any value means it was set?I'd rather be explicit. Someone setting this to "false" should not be surprised.