Re: documentation/behavior unclear of (tor-hidden-service)
On 17-03-06 13:47:12, Leo Famulari wrote: > On Mon, Mar 06, 2017 at 06:00:30PM +, ng0 wrote: > > from my experience they are not needed for a relay. Okay, they would be > > useful to increase security and to see how how Chinese government > > officials and their automated services want to get into your server, but > > it's not really necessary for the relay. > > Slight nitpick: In my experience with iptables, it's not just Chinese > officials that want to break in to my servers, but rather a dazzling > multitude of people from all over the world ;) > My experience with OpenNIC and tor on the server side was that it's mostly government IPs running lazy standard methods trying to get in where they won't get in anyway. Just don't use port 22, rate-limit connections (with OpenNIC this worked a bit) and the IPs which traced back directly to those red zones in chinese cities marked as "military/government zones" went away :). But yeah, with tor they were in company of russia, USA, and other nations trying to do the same ;D
Re: documentation/behavior unclear of (tor-hidden-service)
On Mon, Mar 06, 2017 at 06:00:30PM +, ng0 wrote: > from my experience they are not needed for a relay. Okay, they would be > useful to increase security and to see how how Chinese government > officials and their automated services want to get into your server, but > it's not really necessary for the relay. Slight nitpick: In my experience with iptables, it's not just Chinese officials that want to break in to my servers, but rather a dazzling multitude of people from all over the world ;)
Re: documentation/behavior unclear of (tor-hidden-service)
On 17-03-06 08:19:00, dian_ce...@zoho.com wrote: > On Mon, 6 Mar 2017 12:08:20 + > ng0wrote:> > > Maybe someone else can try and implement this, I only know what'S > > needed for running the relay but can't do it at the moment ;) > > Just for reference sake: > https://www.torproject.org/docs/tor-doc-relay.html.en > > What is the policy on creating/modifying firewalls? Would any relay > service be allowed to automatically reconfigure the firewall to allow > a relay to run? Does the sysadmin have to configure it theirself > (English really needs gender-neutral pronouns.)? Does anything else in themselves, there are gender neutral pronouns in english. > GuixSD modify the firewall at this point? No, there are no services for iptables or nftables at this point. And from my experience they are not needed for a relay. Okay, they would be useful to increase security and to see how how Chinese government officials and their automated services want to get into your server, but it's not really necessary for the relay. The relays are just some definitions in the torrc, and that's it. I would only ask people who currently or previously ran a tor relay, maybe even with Guix/GuixSD, to work on this. You can't break anything, but to test it would be good. Which is something I can't do currently. > These all feel like rather important questions to me that need > answering before anyone does this. > >
Re: documentation/behavior unclear of (tor-hidden-service)
On Mon, 6 Mar 2017 12:08:20 + ng0wrote:> > Maybe someone else can try and implement this, I only know what'S > needed for running the relay but can't do it at the moment ;) Just for reference sake: https://www.torproject.org/docs/tor-doc-relay.html.en What is the policy on creating/modifying firewalls? Would any relay service be allowed to automatically reconfigure the firewall to allow a relay to run? Does the sysadmin have to configure it theirself (English really needs gender-neutral pronouns.)? Does anything else in GuixSD modify the firewall at this point? These all feel like rather important questions to me that need answering before anyone does this.
Re: documentation/behavior unclear of (tor-hidden-service)
ng0skribis: > On 17-03-06 11:13:32, Ludovic Courtès wrote: >> Hi! >> >> ng0 skribis: >> >> > moving on, this could be improved: >> > In case one aims for keeping the config public this is a bad idea but >> > what about creating the hostname + private_key in $name as plain-file? >> > Would this be overwritten by (tor-hidden-service) or would this just be >> > bad practice but "whatever works for you"? >> >> Tor is stateful here: it creates the >> /var/lib/tor/hidden-services/SERVICE directory once, and then never >> touches it again. >> >> Do you think our documentation should be improved? Could you suggest a >> patch that improves things, while at the same time not paraphrasing too >> much of Tor’s own documentation? [...] > What do you think about the private-key + hostname option? Too much > of bad practice to implement it for the service? What do you mean? Now that I checked, I see the documentation explains exactly what I wrote above, with a link to upstream’s documentation for details. What should we add? > I was thinking of adding a (tor-relay-node) once I have the option to > run a GuixSD system not in my home and/or other circumstances are > solved which now prevent certain things. Would be nice. Thanks, Ludo’.
Re: documentation/behavior unclear of (tor-hidden-service)
On 17-03-06 11:13:32, Ludovic Courtès wrote: > Hi! > > ng0skribis: > > > moving on, this could be improved: > > In case one aims for keeping the config public this is a bad idea but > > what about creating the hostname + private_key in $name as plain-file? > > Would this be overwritten by (tor-hidden-service) or would this just be > > bad practice but "whatever works for you"? > > Tor is stateful here: it creates the > /var/lib/tor/hidden-services/SERVICE directory once, and then never > touches it again. > > Do you think our documentation should be improved? Could you suggest a > patch that improves things, while at the same time not paraphrasing too > much of Tor’s own documentation? > > Thanks, > Ludo’. > Thanks. I'll think of something along the lines next time I have time to spend for documentation. What do you think about the private-key + hostname option? Too much of bad practice to implement it for the service? I was thinking of adding a (tor-relay-node) once I have the option to run a GuixSD system not in my home and/or other circumstances are solved which now prevent certain things. Maybe someone else can try and implement this, I only know what'S needed for running the relay but can't do it at the moment ;)
Re: documentation/behavior unclear of (tor-hidden-service)
Hi! ng0skribis: > moving on, this could be improved: > In case one aims for keeping the config public this is a bad idea but > what about creating the hostname + private_key in $name as plain-file? > Would this be overwritten by (tor-hidden-service) or would this just be > bad practice but "whatever works for you"? Tor is stateful here: it creates the /var/lib/tor/hidden-services/SERVICE directory once, and then never touches it again. Do you think our documentation should be improved? Could you suggest a patch that improves things, while at the same time not paraphrasing too much of Tor’s own documentation? Thanks, Ludo’.
Re: documentation/behavior unclear of (tor-hidden-service)
On 17-03-04 15:59:16, ng0 wrote: > I have a question regarding the (tor-hidden-service) service. > > When I have an previously generated hostname, let's call it > "fooschnickens1234.onion" for the purpose of this message, my approach > on a system like Gentoo was to manually place the hostname and > private-key into the /var/lib/tor/hidden-services/$name-i-gave-in-torrc > folder and change the permissions afterwards. > > Now this service is unclear about wether it would overwrite the files I > have when the new system generation is done building (reconfigure). > > It would be good to know wether the files can be copied into place in > advance or if one has to wait to replace it afterwards. > Okay, be your own testpilot: A quick 'guix system build config.scm' and before reconfiguring inserting my values into the then new generated /var/lib/tor/hidden-services/foo/ and the files in there, then running reconfigure, rebooting and I can connect to my hostname(s). moving on, this could be improved: In case one aims for keeping the config public this is a bad idea but what about creating the hostname + private_key in $name as plain-file? Would this be overwritten by (tor-hidden-service) or would this just be bad practice but "whatever works for you"?