From 6488afa2dc113d01a5dd48122b27d6862874dc4f Mon Sep 17 00:00:00 2001 From: Gijs Peskens Date: Tue, 13 Feb 2018 17:12:20 +0100 Subject: [PATCH] os-tor Extra settings for source IP and IPv6 (#536) * Quick fixes to allow IPv6 and Outboundbinding -allow specification of secondary ORPort (intended for IPv6) -allow specification of 2 source addresses via source IP fields, especially usefull for exits. -default directory port to 9030 and set to mandatory (needed for relay) All of the IPv6 fields use the same input verification as the HOST field, should perhaps be changed? * ... * forgot torrc.... * Include manual config in torrc file include optional /usr/local/etc/torrc.exitpolicy after after exit policies set via interface before default reject to allow easy config of custom exit policy. * Cleanup for merge * Scheduler KIST is Linux 2.6.39+ only, should not be enabled on BSD https://www.torproject.org/docs/tor-manual.html.en * Cleaning up torrc whitespaces, fixed regex * fixing up things * Do actual IPv4 validation (reject any invalid IPv4) * Provide dropdown menu on general settings tab to allow choice in scheduler order and schedulers with following options: -KISTLite,Vanilla (default) -Vanilla,KISTLite -KISTLite -Vanilla * fixed missing options * whitespace * removed comma from default option for scheduler * Delete opnsense.tgz --- .../OPNsense/Tor/forms/general.xml | 7 +++++ .../controllers/OPNsense/Tor/forms/relay.xml | 20 ++++++++++++++ .../mvc/app/models/OPNsense/Tor/General.xml | 11 ++++++++ .../mvc/app/models/OPNsense/Tor/Relay.xml | 14 +++++++++- .../service/templates/OPNsense/Tor/torrc | 26 +++++++++++++++++-- 5 files changed, 75 insertions(+), 3 deletions(-) diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/general.xml b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/general.xml index 13a8d8e4e..9804cdafb 100644 --- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/general.xml +++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/general.xml @@ -52,6 +52,13 @@ This is the detail level of the log. A higher level means more data is logged. + + general.scheduler + + dropdown + + true + general.fascist_firewall diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml index b115bb583..028e02c61 100644 --- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml +++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml @@ -11,6 +11,12 @@ text true + + relay.hostv6 + + text + true + relay.port @@ -22,6 +28,20 @@ text The external FQDN of this host. + + relay.outboundbind + + text + true + Originate all traffic from this IP + + + relay.outboundbindv6 + + text + true + Originate all IPv6 traffic from this IP + relay.nick diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml index a7c4788bc..b5ea23941 100644 --- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml +++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml @@ -64,6 +64,17 @@ Debugging + + Y + N + KISTLiteVanilla + + KISTLite,Vanilla + Vanilla,KISTLite + KISTLite + Vanilla + + 0 Y diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml index 74d98c54c..517f6c5be 100644 --- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml +++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml @@ -8,8 +8,20 @@ N - /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[a-f0-9:]{2,})$/i + /^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/ + + N + /^[a-f0-9:]{2,}$/i + + + N + /^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/ + + + N + /^[a-f0-9:]{2,}$/i + 9001 0 diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc index 2bf64d473..95ffe7321 100644 --- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc +++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc @@ -63,6 +63,18 @@ Log {{ OPNsense.tor.general.sysloglevel }} syslog {% endif %} +{% if OPNsense.tor.general.scheduler == 'KISTLiteVanilla' %} +Scheduler KISTLite,Vanilla +{% endif %} +{% if OPNsense.tor.general.scheduler == 'Vanilla' %} +Scheduler Vanilla +{% endif %} +{% if OPNsense.tor.general.scheduler == 'KISTLite' %} +Scheduler KISTLite +{% endif %} +{% if OPNsense.tor.general.scheduler == 'VanillaKISTLite' %} +Scheduler Vanilla,KISTLite +{% endif %} DataDirectory /var/db/tor @@ -125,8 +137,10 @@ HiddenServicePort {{ acl.port}} {{ acl.target_host }}:{{ acl.target_port }} {% endif %} {% if helpers.exists('OPNsense.tor.relay.enabled') and OPNsense.tor.relay.enabled == '1' %} - ORPort {% if helpers.exists('OPNsense.tor.relay.host') and OPNsense.tor.relay.host != '' %}{{ OPNsense.tor.relay.host }}:{% endif%}{{ OPNsense.tor.relay.port|default('9001') }} +{% if helpers.exists('OPNsense.tor.relay.hostv6') and OPNsense.tor.relay.hostv6 != '' %} +ORPort [{{ OPNsense.tor.relay.hostv6 }}]:{{ OPNsense.tor.relay.port|default('9001') }} +{% endif%} {% if helpers.exists('OPNsense.tor.relay.address') and OPNsense.tor.relay.address != '' %} Address {{ OPNsense.tor.relay.address }} @@ -141,6 +155,13 @@ Address {{ OPNsense.tor.relay.address }} #OutboundBindAddressExit 10.0.0.4 #OutboundBindAddressOR 10.0.0.5 +{% if helpers.exists('OPNsense.tor.relay.outboundbind') and OPNsense.tor.relay.outboundbind != '' %} +OutboundBindAddress {{ OPNsense.tor.relay.outboundbind }} +{% endif %} +{% if helpers.exists('OPNsense.tor.relay.outboundbindv6') and OPNsense.tor.relay.outboundbindv6 != '' %} +OutboundBindAddress {{ OPNsense.tor.relay.outboundbindv6 }} +{% endif %} + {% if helpers.exists('OPNsense.tor.relay.nick') and OPNsense.tor.relay.nick != '' %} Nickname {{ OPNsense.tor.relay.nick }} {% endif %} @@ -172,8 +193,9 @@ RelayBandwidthBurst {{ OPNsense.tor.relay.bandwithburst }} KBytes #ContactInfo 0xFFFFFFFF Random Person {% if helpers.exists('OPNsense.tor.relay.directory_port') and OPNsense.tor.relay.directory_port != '' %} -DirPort {{ OPNsense.tor.relay.directory_port }} +DirPort {% if helpers.exists('OPNsense.tor.relay.host') and OPNsense.tor.relay.host != '' %}{{ OPNsense.tor.relay.host }}:{% endif%}{{ OPNsense.tor.relay.directory_port }} {% endif %} + ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source