1

Topic: Hypertorify contributions welcome.

Hello folks, I'm working on hypertorify, a fork of archtorify to completely enable the networking of Hyperbola v0.4 via tor. It uses nftables instead of iptables of archtorify and openrc instead of systemd.

https://notabug.org/sagaracharya/hypertorify

Contributions are welcome.

Today, the forces which make the rich richer and poor poorer have their roots in computer security. Never has it been more important to work towards abolishing the power of the powerful.

Let's use hyperbola or other libre OSes and strive towards stateless hardware (Rutkowska 2015). Let's use PinePhone and shun Android and iPhone which pretend to be secure.

2

Re: Hypertorify contributions welcome.

How does tor work in hyperbola? The package tor

There's tor daemon, dhcpcd, and applications. How do these interact with each other? How are packets transferred?

What are some typical permissions these components need?

Today, the forces which make the rich richer and poor poorer have their roots in computer security. Never has it been more important to work towards abolishing the power of the powerful.

Let's use hyperbola or other libre OSes and strive towards stateless hardware (Rutkowska 2015). Let's use PinePhone and shun Android and iPhone which pretend to be secure.

3 (edited by sagaracharya 2021-10-28 17:27:25)

Re: Hypertorify contributions welcome.

I've made a fair bit of progress. However, tor is unable to start with DNSPort configuration option as 53. Can someone test this?

1. Clone above mentioned git repo.
2. Backup 2 files, /etc/resolv.conf and /etc/tor/torrc
3.

doas make install
doas archtorify -t

4. Test. At end, restore /etc/resolv.conf and /etc/tor/torrc

In case you messed up with backup, restart computer for default resolv.conf and remove /etc/tor/torrc and install tor with pacman -S tor .

Issue lies with starting of service ghost, which can independently be tested after replacing default /etc/tor/torrc with hypertorify torrc with

doas rc-service ghost start
Today, the forces which make the rich richer and poor poorer have their roots in computer security. Never has it been more important to work towards abolishing the power of the powerful.

Let's use hyperbola or other libre OSes and strive towards stateless hardware (Rutkowska 2015). Let's use PinePhone and shun Android and iPhone which pretend to be secure.

4

Re: Hypertorify contributions welcome.

Error log:

Oct 28 22:46:13.659 [notice] Tor 0.4.5.9 running on Linux with Libevent 2.1.12-stable, OpenSSL LibreSSL 3.2.6, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.4.5 and Glibc 2.30 as libc.
Oct 28 22:46:13.659 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Oct 28 22:46:13.659 [notice] Read configuration file "/etc/tor/torrc".
Oct 28 22:46:13.661 [notice] Opening Socks listener on 127.0.0.1:9050
Oct 28 22:46:13.661 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Oct 28 22:46:13.661 [notice] Opening DNS listener on 127.0.0.1:53
Oct 28 22:46:13.661 [warn] Could not bind to 127.0.0.1:53: Permission denied
Oct 28 22:46:13.661 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
Oct 28 22:46:13.661 [notice] Opened Transparent pf/netfilter listener connection (ready) on 127.0.0.1:9040
Oct 28 22:46:13.661 [notice] Closing partially-constructed Socks listener connection (ready) on 127.0.0.1:9050
Oct 28 22:46:13.661 [notice] Closing partially-constructed Transparent pf/netfilter listener connection (ready) on 127.0.0.1:9040
Oct 28 22:46:13.661 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Oct 28 22:46:13.661 [err] Reading config failed--see warnings above.

Today, the forces which make the rich richer and poor poorer have their roots in computer security. Never has it been more important to work towards abolishing the power of the powerful.

Let's use hyperbola or other libre OSes and strive towards stateless hardware (Rutkowska 2015). Let's use PinePhone and shun Android and iPhone which pretend to be secure.

5

Re: Hypertorify contributions welcome.

Solved above problem and made hypertorify very lean. However unable to make all requests by any application by default use tor. I have translated the nftables and they can be seen on above repo. When I enable nftables service, there's no network.

I'd appreciate some help from someone who knows nftables config.

Added dependency to tor-hardened-preferences for hypertorify.

Today, the forces which make the rich richer and poor poorer have their roots in computer security. Never has it been more important to work towards abolishing the power of the powerful.

Let's use hyperbola or other libre OSes and strive towards stateless hardware (Rutkowska 2015). Let's use PinePhone and shun Android and iPhone which pretend to be secure.

6

Re: Hypertorify contributions welcome.

sagaracharya wrote:

Solved above problem and made hypertorify very lean. However unable to make all requests by any application by default use tor. I have translated the nftables and they can be seen on above repo. When I enable nftables service, there's no network.

I'd appreciate some help from someone who knows nftables config.

Added dependency to tor-hardened-preferences for hypertorify.

Hey! here is an example of nftables rules:

#!/sbin/nft -f
# vim:set ts=4:

# Clear all prior state
flush ruleset

table ip mangle {
    chain PREROUTING {
        type filter hook prerouting priority mangle; policy accept;
    }

    chain INPUT {
        type filter hook input priority mangle; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority mangle; policy accept;
    }

    chain OUTPUT {
        type route hook output priority mangle; policy accept;
    }

    chain POSTROUTING {
        type filter hook postrouting priority mangle; policy accept;
    }
}
table ip raw {
    chain PREROUTING {
        type filter hook prerouting priority raw; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority raw; policy accept;
    }
}
table inet filter {
    chain INPUT {
        type filter hook input priority filter; policy drop;
        ct state { established, related } counter accept
        iifname "lo" counter accept
        # icmp, rate limited
        icmp type { echo-request } limit rate 4/second accept
        icmpv6 type { echo-request } limit rate 4/second accept
        # allow dns, ssh, http, https resolution from another pc
        tcp dport { 22, 51022 } counter accept comment "OpenSSH"
        tcp dport 53 counter accept comment "accept DNS from TCP"
        udp dport 53 counter accept comment "accept DNS from UDP"
        tcp dport { 80, 443 } counter accept comment "WWW Full"
        counter comment "count input dropped packets"
        # log all remaining packets
        ip protocol { tcp } counter log prefix "tcp.out.dropped: "
        ip protocol { udp } counter log prefix "udp.out.dropped: "
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter comment "count forward dropped packets"
    }

    chain OUTPUT {
        type filter hook output priority filter; policy drop;
        ct state { established, related } counter accept
        oifname "lo" counter accept
        # DNS lookups myself
        udp dport { 53 } accept
        tcp sport 1024-65535 counter accept
        udp sport 1024-65535 counter accept
        counter comment "count forward dropped packets"
        ip protocol { tcp } counter log prefix "tcp.out.dropped: "
        ip protocol { udp } counter log prefix "udp.out.dropped: "
    }
}
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
    }

    chain INPUT {
        type nat hook input priority 100; policy accept;
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }
}

Ref: https://wiki.nftables.org/wiki-nftables … 10_minutes

~ Jesús E.
Hyperbola, Security Team