Re: documentation/behavior unclear of (tor-hidden-service)

[ng0]

On 17-03-06 13:47:12, Leo Famulari wrote:
> On Mon, Mar 06, 2017 at 06:00:30PM +, ng0 wrote:
> > from my experience they are not needed for a relay. Okay, they would be
> > useful to increase security and to see how how Chinese government
> > officials and their automated services want to get into your server, but
> > it's not really necessary for the relay.
> 
> Slight nitpick: In my experience with iptables, it's not just Chinese
> officials that want to break in to my servers, but rather a dazzling
> multitude of people from all over the world ;)
> 
My experience with OpenNIC and tor on the server side was that it's
mostly government IPs running lazy standard methods trying to get in
where they won't get in anyway.
Just don't use port 22, rate-limit connections (with OpenNIC this worked
a bit) and the IPs which traced back directly to those red zones in
chinese cities marked as "military/government zones" went away :).

But yeah, with tor they were in company of russia, USA, and other
nations trying to do the same ;D

Re: documentation/behavior unclear of (tor-hidden-service)

[Leo Famulari]

On Mon, Mar 06, 2017 at 06:00:30PM +, ng0 wrote:
> from my experience they are not needed for a relay. Okay, they would be
> useful to increase security and to see how how Chinese government
> officials and their automated services want to get into your server, but
> it's not really necessary for the relay.

Slight nitpick: In my experience with iptables, it's not just Chinese
officials that want to break in to my servers, but rather a dazzling
multitude of people from all over the world ;)

Re: documentation/behavior unclear of (tor-hidden-service)

[ng0]

On 17-03-06 08:19:00, dian_ce...@zoho.com wrote:
> On Mon, 6 Mar 2017 12:08:20 +
> ng0  wrote:> 
> > Maybe someone else can try and implement this, I only know what'S
> > needed for running the relay but can't do it at the moment ;)
> 
> Just for reference sake:
> https://www.torproject.org/docs/tor-doc-relay.html.en
> 
> What is the policy on creating/modifying firewalls? Would any relay
> service be allowed to automatically reconfigure the firewall to allow
> a relay to run? Does the sysadmin have to configure it theirself
> (English really needs gender-neutral pronouns.)? Does anything else in

themselves, there are gender neutral pronouns in english.

> GuixSD modify the firewall at this point?

No, there are no services for iptables or nftables at this point. And
from my experience they are not needed for a relay. Okay, they would be
useful to increase security and to see how how Chinese government
officials and their automated services want to get into your server, but
it's not really necessary for the relay.
The relays are just some definitions in the torrc, and that's it.

I would only ask people who currently or previously ran a tor relay,
maybe even with Guix/GuixSD, to work on this. You can't break anything,
but to test it would be good. Which is something I can't do currently.

> These all feel like rather important questions to me that need
> answering before anyone does this.
> 
> 

Re: documentation/behavior unclear of (tor-hidden-service)

[dian_cecht]

On Mon, 6 Mar 2017 12:08:20 +
ng0  wrote:> 
> Maybe someone else can try and implement this, I only know what'S
> needed for running the relay but can't do it at the moment ;)

Just for reference sake:
https://www.torproject.org/docs/tor-doc-relay.html.en

What is the policy on creating/modifying firewalls? Would any relay
service be allowed to automatically reconfigure the firewall to allow
a relay to run? Does the sysadmin have to configure it theirself
(English really needs gender-neutral pronouns.)? Does anything else in
GuixSD modify the firewall at this point?

These all feel like rather important questions to me that need
answering before anyone does this.

Re: documentation/behavior unclear of (tor-hidden-service)

[Ludovic Courtès]

ng0  skribis:

> On 17-03-06 11:13:32, Ludovic Courtès wrote:
>> Hi!
>> 
>> ng0  skribis:
>> 
>> > moving on, this could be improved:
>> > In case one aims for keeping the config public this is a bad idea but
>> > what about creating the hostname + private_key in $name as plain-file?
>> > Would this be overwritten by (tor-hidden-service) or would this just be
>> > bad practice but "whatever works for you"?
>> 
>> Tor is stateful here: it creates the
>> /var/lib/tor/hidden-services/SERVICE directory once, and then never
>> touches it again.
>> 
>> Do you think our documentation should be improved?  Could you suggest a
>> patch that improves things, while at the same time not paraphrasing too
>> much of Tor’s own documentation?

[...]

> What do you think about the private-key + hostname option? Too much
> of bad practice to implement it for the service?

What do you mean?

Now that I checked, I see the documentation explains exactly what I
wrote above, with a link to upstream’s documentation for details.  What
should we add?

> I was thinking of adding a (tor-relay-node) once I have the option to
> run a GuixSD system not in my home and/or other circumstances are
> solved which now prevent certain things.

Would be nice.

Thanks,
Ludo’.

Re: documentation/behavior unclear of (tor-hidden-service)

[ng0]

On 17-03-06 11:13:32, Ludovic Courtès wrote:
> Hi!
> 
> ng0  skribis:
> 
> > moving on, this could be improved:
> > In case one aims for keeping the config public this is a bad idea but
> > what about creating the hostname + private_key in $name as plain-file?
> > Would this be overwritten by (tor-hidden-service) or would this just be
> > bad practice but "whatever works for you"?
> 
> Tor is stateful here: it creates the
> /var/lib/tor/hidden-services/SERVICE directory once, and then never
> touches it again.
> 
> Do you think our documentation should be improved?  Could you suggest a
> patch that improves things, while at the same time not paraphrasing too
> much of Tor’s own documentation?
> 
> Thanks,
> Ludo’.
> 

Thanks.

I'll think of something along the lines next time I have time to spend
for documentation.

What do you think about the private-key + hostname option? Too much
of bad practice to implement it for the service?

I was thinking of adding a (tor-relay-node) once I have the option to
run a GuixSD system not in my home and/or other circumstances are
solved which now prevent certain things.

Maybe someone else can try and implement this, I only know what'S needed
for running the relay but can't do it at the moment ;)

Re: documentation/behavior unclear of (tor-hidden-service)

[Ludovic Courtès]

Hi!

ng0  skribis:

> moving on, this could be improved:
> In case one aims for keeping the config public this is a bad idea but
> what about creating the hostname + private_key in $name as plain-file?
> Would this be overwritten by (tor-hidden-service) or would this just be
> bad practice but "whatever works for you"?

Tor is stateful here: it creates the
/var/lib/tor/hidden-services/SERVICE directory once, and then never
touches it again.

Do you think our documentation should be improved?  Could you suggest a
patch that improves things, while at the same time not paraphrasing too
much of Tor’s own documentation?

Thanks,
Ludo’.

Re: documentation/behavior unclear of (tor-hidden-service)

[ng0]

On 17-03-04 15:59:16, ng0 wrote:
> I have a question regarding the (tor-hidden-service) service.
> 
> When I have an previously generated hostname, let's call it
> "fooschnickens1234.onion" for the purpose of this message, my approach
> on a system like Gentoo was to manually place the hostname and
> private-key into the /var/lib/tor/hidden-services/$name-i-gave-in-torrc
> folder and change the permissions afterwards.
> 
> Now this service is unclear about wether it would overwrite the files I
> have when the new system generation is done building (reconfigure).
> 
> It would be good to know wether the files can be copied into place in
> advance or if one has to wait to replace it afterwards.
> 
Okay, be your own testpilot:
A quick 'guix system build config.scm' and before reconfiguring
inserting my values into the then new generated
/var/lib/tor/hidden-services/foo/ and the files in there, then running
reconfigure, rebooting and I can connect to my hostname(s).

moving on, this could be improved:
In case one aims for keeping the config public this is a bad idea but
what about creating the hostname + private_key in $name as plain-file?
Would this be overwritten by (tor-hidden-service) or would this just be
bad practice but "whatever works for you"?