[Freedombox-discuss] possible bug? tor installation does not open ports 9001, 9030?

Sunil Mohan Adapa sunil at medhas.org
Wed Feb 6 21:56:48 GMT 2019 

On 06/02/19 8:32 am, David Mintz wrote:
> 
> I posted the below message some days ago and got no response. Since 
> then I tried again, and managed to figure out a way -- if not THE
> way -- to fix. I had previously installed the Tor package using
> Plinth and the web interface, but my Tor ports were not reachable
> from the outside. Tried a lot of things (in my naive way), no luck,
> gave up, started over with a totally fresh OS installation, hoping to
> wipe the slate clean.
> 
> Next, I simply installed with `apt install tor`.  Again, port not 
> reachable errors.  Finally I figured out firewall-cmd enough to open 
> the ports manually (so to speak), with `firewall-cmd  --permanent 
> --add-port=9001/tcp --zone=internal`,  and again for port 9030. Now 
> my life is happy.
> 
> But that raises the question of whether the UI for Tor installation 
> and setup has an issue in Plinth. I am not sure, that's why I ask, 
> but I would have thought Plinth would have automatically done the 
> firewall config for me. So I looked for a bug report at 
> https://salsa.debian.org/freedombox-team/plinth/issues and could not
>  find anything relevant when filtering for "tor".
> 
> Any thoughts as to how to figure out whether there's an issue to 
> report?

Hi,

I just checked that relay option works as expected on my FreedomBox. I
turned on the the relay option (not the bridge relay option) in the UI
and noticed that:

- FreedomBox has set 'ORPort auto' in the configuration file
/etc/tor/instances/plinth/torrc

- It has read the automatically allocated ORPort from Tor status
information and shown that port information in the relay status table in
the UI.

- Then it created a firewalld service file
/etc/firewalld/services/tor-orport.xml. And added the port to external
and internal zones of the firewalld as seen in 'firewall-cmd
--list-all-zones'.

- Tor ORPort was reachable from outside according to the Tor logs as
seen with `journalctl -u tor at plinth`:

Feb 06 20:48:52 freedombox Tor-plinth[19477]: Now checking whether
ORPort <masked>:<masked> is reachable... (this may take up to 20 minutes
-- look for log messages indicating success)
Feb 06 20:49:02 freedombox Tor-plinth[19477]: Self-testing indicates
your ORPort is reachable from the outside. Excellent. Publishing server
descriptor.
Feb 06 20:49:04 freedombox Tor-plinth[19477]: Performing bandwidth
self-test...done.

We are not configuring or opening the DirPort. As I understand, this is
optional for a relay setup. Please open an issue if you think it is
important to have.

Perhaps the problem you are facing is due to running into problems with
firewalld (we have an open bug that is triggered due to OpenVPN).
Please check and report any errors you see in `journalctl -u firewalld`
especially after a restart `systemctl restart firewalld`.

On 29/01/19 7:02 am, David Mintz wrote:
[...]
> I just want to ask as a general question whether I should expect the
>  following alternative strategy to work:
> 
> (1) disable Tor on the desktop and remove port forwarding rules.
> 
> (2) enable port forwarding to the FreedomBox, consistent with the 
> ORPort and DirPort numbers set in the tor config
> 
> (3) install tor from the command line according to 
> https://www.torproject.org/docs/debian.html.en
> 
> (4) copy my torrc file over from the desktop and restart the service
Tor, or at least Debian's Tor packaging allows creating multiple
instances of Tor server on the same machine. FreedomBox creates it's own
instance called 'plinth' and runs that.

So, you could create a different different instance using
`tor-instance-create myinstance` command edit the configuration in
/etc/tor/instances/myinstance/torrc and enable it with `systemctl enable
tor at myinstance` and `systemctl start tor at myinstance`. Make sure,
however, that Tor is either disabled in FreedomBox UI or your are not
fighting for any of the default ports.

Even if you modify FreedomBox's instance configuration in
/etc/tor/instances/plinth/torrc for your needs, the UI should show
proper state and continue to work as expected. Make sure, however, that
FreedomBox's changes and your changes are consistent and secure.

-- 
Sunil

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20190206/57fde675/attachment-0001.sig>

More information about the Freedombox-discuss mailing list