# Running Tor service in the jail environment



## Mr_Dragon (Dec 11, 2018)

I want to torify my FreeBSD old machine purposed to mainly darknet activities.

Should I worry about these errors during creating jail?

```
Warning: Some services already seem to be listening on all IP, (including 127.0.1.1)
  This may cause some confusion, here they are:
root     ntpd       58008 20 udp6   *:123                 *:*
root     ntpd       58008 21 udp4   *:123                 *:*
root     lpd        48726 6  tcp6   *:515                 *:*
root     lpd        48726 7  tcp4   *:515                 *:*
Warning: Some services already seem to be listening on IP 192.168.1.105
  This may cause some confusion, here they are:
root     ntpd       58008 23 udp4   192.168.1.105:123     *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.1.105)
  This may cause some confusion, here they are:
root     ntpd       58008 20 udp6   *:123                 *:*
root     ntpd       58008 21 udp4   *:123                 *:*
root     lpd        48726 6  tcp6   *:515                 *:*
root     lpd        48726 7  tcp4   *:515                 *:
```

Should jail have access to loopback interface and public Ethernet interface assuming that all traffic from this machine will be routed through Tor? Is it necessary to set up a virtual network interface to communicate between jails?


----------



## Bobi B. (Dec 11, 2018)

Some services, including ntpd(8), monitor network configuration changes and dynamically bind to all (existing and new) addresses and unbind from addresses gone. Other services bind to `0.0.0.0`, or any address. Obviously this will cause problems if you try to run more than one such service -- on the host, and in jails -- in the same time. Their bindings will clash. You don't have to worry, as long as you know what you're doing.

If you need to run more than one such service you'll have to modify its configuration, so it is bound to (listens to) on a specific address only: host node's address, or jail's address.

But I don't know how tor service works, specifically how its traffic routing works.


----------



## ShelLuser (Dec 11, 2018)

Running a tor service in a jail is probably not a good idea because a jail has very limited access to the network stack of the host. It cannot change the routing table for example and if I recall correctly the same applies to virtual network devices (which cannot be created by the jail itself).

Such network routing services are best used on the host.


----------



## Remington (Dec 11, 2018)

You should use Vimage or Bhyve if you don't want Tor on the host.


----------



## SirDice (Dec 11, 2018)

Tor is a proxy, it doesn't do any traditional TCP/IP routing. Which also means you can't use it to "hide" arbitrary TCP or UDP connections (you have to proxy your services through the Tor proxy).

Would it work in a jail? Probably. It's not going to be any different from running Squid in a jail for example.


----------



## Mr_Dragon (Dec 11, 2018)

Bobi B. said:
			
		

> Some services, including ntpd(8), monitor network configuration changes and dynamically bind to all (existing and new) addresses and unbind from addresses gone. Other services bind to 0.0.0.0, or any address. Obviously this will cause problems if you try to run more than one such service -- on the host, and in jails -- in the same time. Their bindings will clash. You don't have to worry, as long as you know what you're doing.



How do I prevent ntpd or lpd services running in the jails? How do I create subnet purposed to handle traffic inside the jails?



			
				ShelLuser said:
			
		

> Running a tor service in a jail is probably not a good idea because a jail has very limited access to the network stack of the host. It cannot change the routing table for example and if I recall correctly the same applies to virtual network devices (which cannot be created by the jail itself).


I consider run Tor in the jail environment because I want to ensure system won't be compromised in case compromising Tor service.


----------



## SirDice (Dec 11, 2018)

Mr_Dragon said:


> How do I prevent ntpd or lpd services running in the jails?


Neither are started by default. So don't enable them. But besides that, most network daemons can be configured to listen on 1 or more specific IP addresses, tie that daemon to its specific jail IP address(es). You can usually find how to do that in the man pages. Sometimes you have to edit a configuration file, sometimes an additional flag in rc.conf is needed. 



> How do I create subnet purposed to handle traffic inside the jails?


In exactly the same way as you would a create subnet on a "real" network. You pick a network range with an appropriate subnet mask and make sure it's unique within your network. Routing does the rest.


----------



## freezebee (Dec 11, 2018)

Running tor clients and relays in jails is easy to maintain and safe in function. FreeBSD offers an excellent environment with jails.

Mr_Dragon said:


> Should jail have access to loopback interface and public Ethernet interface




```
# nano /etc/rc.conf # on host
cloned_interfaces="${cloned_interfaces} lo1"
ifconfig_lo1="inet  10.10.10.1/32"
jail_enable="YES"
jail_list="jailfoo"
```



> assuming that all traffic from this machine will be routed through Tor?


What do want to reach? Check your motivation. 'All' traffic including host ntp, freebsd-update etc is may-be not the best idea.
You read about tor people recommendations?



> Is it necessary to set up a virtual network interface to communicate between jails?


See above.


ShelLuser said:


> Such network routing services are best used on the host.


You can run lots of tor clients or relays each in its own jail.


Remington said:


> You should use Vimage or Bhyve if you don't want Tor on the host.


No need. Just bare jails are fine.

```
# nano /etc/jail.conf # host
jailfoo {
        host.hostname = "hostfoo";
        interface = lo1;
        ip4.addr = 10.10.10.1;
        path ="/usr/jail/jailfoo";
        mount.devfs;
        devfs_ruleset = "3";
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
}
```

SirDice said:


> Would it work in a jail? Probably.


Works like a charme. pf rdr for relays. pf nat for relays and clients.


Mr_Dragon said:


> How do I prevent ntpd or lpd services running in the jails? How do I create subnet purposed to handle traffic inside the jails?


A jail is a subsystem in your case for the tor daemon. No need to run other daemons there.

```
# jexec jailfoo cat /etc/rc.conf # in jail
network_interfaces=""
rpcbind_enable="NO"
cron_flags="$cron_flags -J 15"
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="NO"
ntpd_enable="NO"
tor_enable="YES"
```



> I consider run Tor in the jail environment because I want to ensure system won't be compromised in case compromising Tor service.


+1

I hope that helps. And please think twice before feeling safe in what can be reached in the proxy world. Have fun 

PS: Forgive me, quotes are not my strength.


----------



## jbo (Aug 28, 2020)

freezebee said:


> Works like a charme. pf rdr for relays. pf nat for relays and clients.


Would you mind sharing a corresponding pf configuration snipped as a starting point for people coming along this in the future?


----------

