Open nyxnor opened 2 years ago
On a qube debian template, not whonix, run:
curl -x http://127.0.0.1:8082 https://google.com
650 STREAM 16314 NEWRESOLVE 0 google.com:0 SOURCE_ADDR=127.0.0.1:33902
650 STREAM 16315 NEWRESOLVE 0 google.com:0 SOURCE_ADDR=127.0.0.1:33902
650 STREAM 16314 SENTRESOLVE 15198 google.com:0 CLIENT_PROTOCOL=DNS
650 STREAM 16315 SENTRESOLVE 15198 google.com:0 CLIENT_PROTOCOL=DNS
650 STREAM 16314 REMAP 15198 172.217.16.206:0 SOURCE=EXIT
650 STREAM 16315 REMAP 15198 [2a00:1450:4001:808::200e]:0 SOURCE=EXIT
650 STREAM 16314 CLOSED 15198 172.217.16.206:0 REASON=DONE
650 STREAM 16315 CLOSED 15198 [2a00:1450:4001:808::200e]:0 REASON=DONE
650 STREAM 16316 NEW 0 172.217.16.206:443 SOURCE_ADDR=10.137.0.8:44012
650 STREAM 16316 SENTCONNECT 15200 172.217.16.206:443 CLIENT_PROTOCOL=TRANS
650 STREAM 16316 REMAP 15200 172.217.16.206:443 SOURCE=EXIT
650 STREAM 16316 CLOSED 15200 172.217.16.206:443 REASON=DONE
SOURCE_ADDR appears on NEW and NEWRESOLVE stream types.
DNS resolve:
The whonix gateway qube receives the the call via the update proxy, that templates uses 127.0.0.1:8082
, and then the gateway forwards from another port on localhost. The source addr is 127.0.0.1:rand_port
. How can I know which qube made the request if the port does not stay the same?
Connection: The source addr is now the gateway qube local ip.
If the connection was made by a whonix workstation, the source_addr will always be the workstation qube local ip.
Thinking if this should be added to -observer
or not, because it can get the client ip address if the gateway is not hosted locally. It can expose the pubic client address, if for example the gateway is at a remote location and the workstation at home.
Haven't tested to see how the connection is made with remote gateways.
https://github.com/QubesOS/qubes-core-agent-linux/find/master
Search: update-proxy
This should be fixed upstream in Qubes, for now, it is impossible to distinguish clients connecting to the localhost proxy.
The problem is on qubes, when using the update proxy, it is not helpful to filter a single source because:
while filtering whonix ws ip is much more helpful because the gateway detects correctly the source addr because there is passing through the tinyproxy.
TODO: add source_addr to tor-ctrl-observer and warnings
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/tor-ctrl-tor-control-port-command-line-tool/8074/48
https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n2501
Two things: