├── .gitignore ├── README.md ├── custom-openbsd-iso.sh └── templates ├── openbsd-firewall-with-nat ├── openbsd-gateway-monero-blockchain-daemon-torsocks ├── openbsd-gateway-tor-socks-and-transparent ├── openbsd-gateway-tor-socks-only ├── openbsd-gateway-tor-transparent-only ├── openbsd-single-network-card-tor-socks-and-transparent ├── openbsd-single-network-card-tor-socks-only └── openbsd-single-network-card-tor-transparent-only /.gitignore: -------------------------------------------------------------------------------- 1 | *.*.swp 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Security hardened OpenBSD templates 2 | 3 | ## Beta 4 | 5 | This project is currently in beta phase. Expect bugs, problems, etc. Lots of things still need a lot of love. We invite everyone to test, audit and improve the project. 6 | 7 | ## Background 8 | 9 | Security hardened [OpenBSD](https://www.openbsd.org) templates with complete firewall and [Tor](https://www.torproject.org) configurations. They are specifically designed for environments which require a high degree of security, privacy and anonymity. This makes them a good fit for crypto currency environments. 10 | 11 | ## Template overview 12 | 13 | The following OpenBSD templates are currently available: 14 | - Basic firewall with nat 15 | - Tor gateway with socks support 16 | - Tor gateway with transparent torification 17 | - Tor gateway with socks and transparent torification 18 | - Tor with socks support for single network card systems 19 | - Tor with transparent torification for single network card systems 20 | - Tor with socks and transparent torification for single network card systems 21 | 22 | All templates will: 23 | - Configure the PF firewall with pretty strict rules. Example: block all traffic destined to RFC1918 addresses. 24 | - Set OpenBSD to the highest securelevel. This can prevent changes to the firewall configuration even when the root account is compromised. 25 | - Setup most filesystems in read-only mode 26 | - Setup the remaining filesystems with the memory filesystem (MFS) for files and folders that need write access. This information is stored in RAM and will be cleared on reboot. 27 | - Set immutable flags on most files on the system 28 | - Set random mac addresses 29 | - Disable SSH and NTP by default 30 | 31 | The Tor templates provide: 32 | - A simple way to setup Tor .onion services, including 'stealth' and 'next generation v3' onion services 33 | - A simple way to setup authorization data for remote stealth onion services 34 | 35 | Our plan is to extend the list of security hardened templates with [Monero](https://getmonero.org), [Bitcoin](https://www.bitcoin.org) and [Kovri/I2P](https://getkovri.org). We are exploring other applications as well and are open for suggestions. 36 | 37 | ## Instructions for automated custom OpenBSD iso generation 38 | 39 | The instructions are tailored for a Debian/Tails like system. For security reasons we highly recommend to use [Tails](https://tails.boum.org) to generate the custom OpenBSD isos. 40 | 41 | Select one of the templates and rename it to install.site. 42 | 43 | Copy install.site to the same directory as the '*custom-openbsd-iso.sh*' script. 44 | 45 | *Optional*: Make some changes to install.site, example: edit the firewall or configure some Tor .onion services. 46 | 47 | Run the custom-openbsd-iso.sh script: 48 | 49 | ./custom-openbsd-iso.sh 50 | 51 | The script should produce a custom OpenBSD iso. 52 | 53 | Burn the iso to a CD/DVD. 54 | 55 | ## Custom OpenBSD installation instructions 56 | 57 | This is a mini version of our installation instructions. See our [website](https://garlicgambit.wordpress.com) for the full instructions. 58 | 59 | Boot the custom OpenBSD iso and follow the standard [OpenBSD](https://www.openbsd.org) installation procedure. Use the network configuration from install.site to configure the network. A '*Gateway*' will use ip address 172.16.1.1 with netmask 255.255.255.0 for the internal interface by default. 60 | 61 | Once you get to the following line you need to type '`E`' to edit the auto layout and delete the swap partition: 62 | '*Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout.*' 63 | 64 | Below the line starting with '*Label editor*' you need to type the following sequence to delete the swap partition: 65 | 66 | d b 67 | w 68 | q 69 | 70 | When you get to '*Set name(s)*' you need to select '*siteXX.tgz*' and de-select all sets starting with '*x*, '*games*' and '*comp*' 71 | 72 | Select the siteXX.tgz set: 73 | 74 | +s* 75 | 76 | De-select the x, game and comp sets: 77 | 78 | -x* 79 | -g* 80 | -c* 81 | 82 | The checksum and verification test for siteXX.tgz will fail. This is expected behavior. Type '`yes`' to continue the installation. 83 | 84 | When you see "*CONGRATULATIONS*" you can reboot the system. 85 | 86 | Upon first boot the custom installation will run a script once that will automatically reboot the system. After this is done you will see the login prompt and your system is ready for use. 87 | 88 | ## TODO 89 | 90 | - [ ] Add Monero P2P daemon, RPC service and wallet support 91 | - [ ] Add Kovri/I2P support 92 | - [ ] Improve installation process 93 | - [ ] Improve templates and scripts 94 | - [ ] Improve documentation 95 | - [ ] Explore methods to securely set system time 96 | - [ ] Explore methods to create an OpenBSD iso from the 'stable' branch 97 | - [ ] Add Tor controlport (filter) support 98 | - [ ] Add automatic download of non-free firmware drivers 99 | - [ ] Improve Tails support 100 | - [ ] Add Whonix support 101 | - [ ] Add Qubes support 102 | - [ ] Add (offline) QR code signing support 103 | - [ ] Add hardware recommendations 104 | - [ ] Add hardware wallet support 105 | - [ ] Add USB boot support 106 | - [ ] Add ARM architecture support 107 | - [ ] Add live cd option 108 | - [ ] Add templates for other operating systems 109 | - [ ] Explore layer 2 filtering 110 | - [ ] Explore virtualization technologies (VMM) to compartmentalize services 111 | - [ ] Explore and promote (reproducible) Monero and Kovri packages for OpenBSD and other operating systems 112 | - [ ] Explore and promote the integration of OpenBSD's pledge in Monero, Kovri, Tor and other applications 113 | 114 | ## License 115 | 116 | MIT 117 | 118 | ## Website and contact 119 | 120 | Website: [garlicgambit.wordpress.com](https://garlicgambit.wordpress.com) 121 | 122 | ## Donations 123 | 124 | Support this project by donating to: 125 | 126 | **Bitcoin:** 127 | 1Ndk6vc9PST9aCHiyd8R2PAXZ68HxeKSgn 128 | 129 | **Monero:** 130 | 463DQj1ebHSWrsyuFTfHSTDaACx3WZtmMFMwb6QEX7asGyUBaRe2fHbhMchpZnaQ6XKXcHZLq8Vt1BRSLpbqdr283QinCRK 131 | -------------------------------------------------------------------------------- /custom-openbsd-iso.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Quick and dirty script to create custom OpenBSD isos 4 | # 5 | # License: MIT 6 | # https://garlicgambit.wordpress.com 7 | 8 | set -u 9 | set -e 10 | #set -x 11 | 12 | # Variables 13 | system_architecture="amd64" # Use amd64 or i386 14 | openbsd_release="snapshots" # Use snapshots or a version number, example: 6.2 15 | template_file="install.site" 16 | current_date=$(date +%F) 17 | custom_iso_dir="/tmp/openbsd/${openbsd_release}/${system_architecture}/" 18 | custom_iso_dir_extracted="${custom_iso_dir}custom-iso-${current_date}/" # This folder will be deleted 19 | custom_iso_filename="custom-openbsd-${openbsd_release}-${system_architecture}-${current_date}.iso" 20 | openbsd_homepage="https://www.openbsd.org/" 21 | openbsd_mirror_file="ftp.html" 22 | 23 | # Optional: Tor onion service variables 24 | onion_service_import="false" # Set to true to import existing onion service backups 25 | onion_service_create="false" # Set to true to generate onion service files on this system 26 | onion_service_dir="hidden_service" # Base name of the onion services 27 | onion_service_type="stealth" # Use: normal, stealth or nextgen 28 | onion_service_stealth_clients="client1,client2,client3" # Number of clients 29 | internal_server="172.16.1.2" # An optional server 30 | 31 | # A list of onion services that will be generated on this system and 32 | # copied to the OpenBSD system. This is useful if you want to have an 33 | # external copy of the onion service files. 34 | # Tor will only use the externally generated onion service files if 35 | # you also enable the onion service in the Tor configuration in 36 | # install.site. The name and configuration need to match. 37 | # There is little harm in generating a couple of extra onion services 38 | # as long as you don't enable them in the Tor configuration. 39 | # Tip: Use the same naming scheme as install.site 40 | onion_service_name="${onion_service_dir} \ 41 | ${onion_service_dir}_www \ 42 | ${onion_service_dir}_ssh_${internal_server} \ 43 | ${onion_service_dir}_www_${internal_server} \ 44 | ${onion_service_dir}_btc_p2p_${internal_server} \ 45 | ${onion_service_dir}_btc_rpc_${internal_server} \ 46 | ${onion_service_dir}_xmr_p2p_${internal_server} \ 47 | ${onion_service_dir}_xmr_rpc_${internal_server}" 48 | 49 | 50 | # Don't run as root 51 | if [ $(id -u) = '0' ]; then 52 | echo "ERROR: Don't run this script as root." 53 | echo "Please fix this and run the script again." 54 | exit 1 55 | fi 56 | 57 | # Don't run the script from the Tor Browser directory 58 | pwd_dir="$(pwd)" 59 | if [ "${pwd_dir}" = '/home/amnesia/Tor Browser' ]; then 60 | echo "ERROR: Don't run this script from the ${pwd_dir} directory." 61 | echo "Please fix this and run the script again." 62 | exit 1 63 | fi 64 | 65 | # Set a correct onion service type 66 | if [ ! "${onion_service_type}" = "normal" ] && 67 | [ ! "${onion_service_type}" = "stealth" ] && 68 | [ ! "${onion_service_type}" = "nextgen" ]; then 69 | echo "ERROR: ${onion_service_type} is not a valid onion service type." 70 | echo "Please fix this and run the script again." 71 | exit 1 72 | fi 73 | 74 | # Check for the template configuration file and make it executable 75 | if [ -s "${template_file}" ]; then 76 | chmod 0700 "${template_file}" 77 | else 78 | echo "ERROR: Template file ${template_file} is missing or empty." 79 | echo "Please create and configure this file before you run the script." 80 | exit 1 81 | fi 82 | 83 | # Cleanup old extracted iso files 84 | if [ -d "${custom_iso_dir_extracted}" ]; then 85 | rm -rf "${custom_iso_dir_extracted}" 86 | fi 87 | 88 | # Create the custom iso directory 89 | if [ ! -d "${custom_iso_dir_extracted}" ]; then 90 | mkdir -p "${custom_iso_dir_extracted}" 91 | fi 92 | 93 | # Set permissions on the custom iso directory 94 | if [ ! -d "${custom_iso_dir}" ]; then 95 | echo "ERROR: No ${custom_iso_dir} available." 96 | echo "Please diagnose the problem and run the script again." 97 | exit 1 98 | else 99 | chmod 0700 "${custom_iso_dir}" 100 | fi 101 | 102 | # Copy template file to the custom iso directory 103 | if ! cp "${template_file}" "${custom_iso_dir}"; then 104 | echo "ERROR: Failed to copy ${template_file} to the ${custom_iso_dir} directory." 105 | echo "Please diagnose the problem and run the script again." 106 | exit 1 107 | fi 108 | 109 | # Check if existing onion service backups need to be imported 110 | if "${onion_service_import}"; then 111 | if [ -d "${onion_service_dir}" ]; then 112 | cp -r "${onion_service_dir}"* "${custom_iso_dir}" 113 | else 114 | echo "ERROR: Onion service backup import is enabled," 115 | echo "but no onion service backup is found with the name: ${onion_service_dir}" 116 | echo "Please fix this and run the script again." 117 | exit 1 118 | fi 119 | fi 120 | 121 | # Copy firmware directory 122 | if [ -d firmware ]; then 123 | cp -r firmware "${custom_iso_dir}" 124 | fi 125 | 126 | # Go to the custom iso directory 127 | if ! cd "${custom_iso_dir}"; then 128 | echo "ERROR: Failed to go to the ${custom_iso_dir} directory." 129 | echo "Please diagnose the problem and run the script again." 130 | exit 1 131 | fi 132 | 133 | # Download the OpenBSD mirror list 134 | if ! wget -O "${openbsd_mirror_file}" "${openbsd_homepage}""${openbsd_mirror_file}"; then 135 | echo "ERROR: Failed to download OpenBSD mirror list." 136 | echo "Please check your network settings and run the script again." 137 | exit 1 138 | fi 139 | 140 | # Select a random https mirror 141 | random_mirror() { 142 | grep -o -P ' "${custom_iso_filename}".sha256sum.txt 395 | 396 | # Inform the user that the script is finished 397 | echo 398 | echo "Congratulations! Your custom OpenBSD iso image is ready." 399 | echo 400 | echo "The iso and other files are available at:" 401 | echo "${custom_iso_dir}" 402 | echo 403 | echo "OpenBSD iso filename:" 404 | echo "${custom_iso_filename}" 405 | echo 406 | echo "You can burn it to a CD/DVD with Brasero." 407 | -------------------------------------------------------------------------------- /templates/openbsd-firewall-with-nat: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="172.16.1.1" # The internal IP of the system 8 | internal_network="172.16.1.0" 9 | internal_netmask="24" # 24 = 255.255.255.0 10 | dns_server="192.168.1.1" # Optional DNS server 11 | tor_server="192.168.1.1" # Optional Tor server 12 | tor_controlport="9052" 13 | tor_socksport_default="9050" 14 | tor_socksport_mua="9061" 15 | tor_socksport_tails="9062" 16 | tor_socksport_browser="9150" 17 | tor_socksport_onion="9250" 18 | tor_socksport_onion_auth="9350" 19 | ## TODO: Kovri/I2P 20 | #i2p_socksport_default="" 21 | #i2p_socksport_monero="" 22 | #i2p_socksport_browser="" 23 | #i2p_server="192.168.1.1" # Optional I2P server 24 | 25 | echo "" 26 | echo "### CUSTOM INSTALL SCRIPT ###" 27 | echo "" 28 | 29 | # Push custom cryptographic seed 1 into the kernel 30 | if [[ -f /custom-random.seed1 ]]; then 31 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 32 | rm -P /custom-random.seed1 33 | fi 34 | 35 | # Configure securelevel 2 on boot 36 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 37 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 38 | 39 | # Disable library reordering on boot 40 | echo "library_aslr=NO" >> /etc/rc.conf.local 41 | 42 | # Disable sshd on boot 43 | echo "sshd_flags=NO" >> /etc/rc.conf.local 44 | 45 | # Disable ntpd on boot 46 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 47 | 48 | # Enable ipv4 routing 49 | echo "# Enable ipv4 routing" >> /etc/sysctl.conf 50 | echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf 51 | 52 | ## Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | ## Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | ## Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ############### 121 | ## NAT RULES ## 122 | ############### 123 | 124 | ## Nat all traffic from ${internal_network} 125 | match out on egress from ${internal_network}/${internal_netmask} nat-to (egress) 126 | 127 | ################### 128 | ## INBOUND RULES ## 129 | ################### 130 | 131 | ## Allow inbound SSH traffic from ${internal_network} to ${internal_ip} 132 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port 22 user root 133 | 134 | ## Block all inbound traffic from ${internal_network} destined to this system 135 | block in quick on ! egress inet from ${internal_network}/${internal_netmask} to self 136 | 137 | ## Allow all inbound traffic from ${internal_network} 138 | pass in quick on ! egress inet from ${internal_network}/${internal_netmask} to any 139 | 140 | #################### 141 | ## OUTBOUND RULES ## 142 | #################### 143 | 144 | ## Allow outbound traffic from this system to DHCP 145 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 146 | 147 | ## Block all outbound traffic to RFC1918 local area network addresses 148 | block out quick on egress inet from any to 149 | 150 | ## Block all outbound traffic to other non-routable addresses 151 | block out quick on egress inet from any to 152 | 153 | ## Allow outbound traffic from this system to NTP 154 | ## Put the first line before 'Block all outbound traffic to RFC1918 local 155 | ## area network addresses' if you use a local DNS resolver 156 | #pass out quick on egress inet proto udp from (egress) to ${dns_server} port 53 user _ntp 157 | #pass out quick on egress inet proto udp from (egress) to any port 123 user _ntp 158 | #pass out quick on egress inet proto tcp from (egress) to any port 443 user _ntp 159 | 160 | ## Allow outbound traffic from this system to fetch non-free firmware 161 | ## Put the first line before 'Block all outbound traffic to RFC1918 local 162 | ## area network addresses' if you use a local DNS resolver 163 | #pass out quick on egress inet proto udp from (egress) to ${dns_server} port 53 user _pkgfetch 164 | #pass out quick on egress inet proto tcp from (egress) to any port 80 user _pkgfetch 165 | 166 | ## Block all outbound TCP and UDP traffic initiated from this system 167 | block out quick inet proto { tcp, udp } from any to any user >= 0 168 | 169 | ## Allow all outbound traffic from this system 170 | pass out quick on egress inet from (egress) to any 171 | 172 | ## EXAMPLE RULES 173 | ## 174 | ## Example rules for a stricter firewall ruleset. You need to 175 | ## disable the 'Allow all outbound traffic from this system' rule 176 | ## with a '#' 177 | 178 | ## Allow outbound SSH traffic 179 | #pass out quick on egress inet proto tcp from (egress) to any port 22 180 | 181 | ## Allow outbound DNS traffic from ${internal_network} to ${dns_server} 182 | ## Put this line before 'Block all outbound traffic to RFC1918 local 183 | ## area network addresses' if you use a local DNS resolver 184 | #pass out quick on egress inet proto udp from (egress) to ${dns_server} port 53 185 | 186 | ## Allow outbound MAIL traffic 187 | #pass out quick on egress inet proto tcp from (egress) to any port { 25, 110, 143, 587, 993, 995 } 188 | 189 | ## Allow outbound HTTP(S) traffic 190 | #pass out quick on egress inet proto tcp from (egress) to any port { 80, 443 } 191 | 192 | ## Allow outbound IPSEC VPN traffic 193 | #pass out quick on egress inet proto udp from (egress) to any port 500 194 | #pass out quick on egress inet proto { tcp, udp } from (egress) to any port 4500 195 | 196 | ## Allow outbound Tor controlport traffic 197 | ## Put this line before 'Block all outbound traffic to RFC1918 local 198 | ## area network addresses' if you use a local Tor router 199 | #pass out quick on egress inet proto tcp from (egress) to ${tor_server} port ${tor_controlport} 200 | 201 | ## Allow outbound Tor socks traffic 202 | ## Put this line before 'Block all outbound traffic to RFC1918 local 203 | ## area network addresses' if you use a local Tor router 204 | #pass out quick on egress inet proto tcp from (egress) to ${tor_server} port { ${tor_socksport_default}, ${tor_socksport_mua}, ${tor_socksport_tails}, ${tor_socksport_browser}, ${tor_socksport_onion}, ${tor_socksport_onion_auth} } 205 | 206 | ## Allow outbound Bitcoin traffic 207 | #pass out quick on egress inet proto tcp from (egress) to any port { 8332, 8333, 18332, 18333 } 208 | 209 | ## Allow outbound Monero traffic 210 | #pass out quick on egress inet proto tcp from (egress) to any port { 18080, 18081, 28080, 28081 } 211 | 212 | 213 | __EOF 214 | # End of pf firewall configuration 215 | 216 | 217 | ####################### 218 | ### Immutable flags ### 219 | ####################### 220 | 221 | cat <<__EOF>> /etc/set-immutable-flags.sh 222 | #!/bin/sh 223 | 224 | # Set immutable flags on files and folders 225 | 226 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 227 | # immutable flags. 228 | 229 | chflags schg / 2>/dev/null 230 | 231 | chflags -R schg /altroot 2>/dev/null 232 | chflags -R schg /bin 2>/dev/null 233 | chflags -R schg /etc 2>/dev/null 234 | chflags -R schg /home 2>/dev/null 235 | chflags -R schg /mfs 2>/dev/null 236 | chflags -R schg /mnt 2>/dev/null 237 | chflags -R schg /root 2>/dev/null 238 | chflags -R schg /sbin 2>/dev/null 239 | chflags -R schg /usr 2>/dev/null 240 | 241 | chflags schg /.cshrc 2>/dev/null 242 | chflags schg /.profile 2>/dev/null 243 | chflags schg /boot 2>/dev/null 244 | chflags schg /bsd 2>/dev/null 245 | chflags schg /bsd.mp 2>/dev/null 246 | chflags schg /bsd.rd 2>/dev/null 247 | chflags schg /bsd.sp 2>/dev/null 248 | chflags schg /obsd 2>/dev/null 249 | 250 | __EOF 251 | 252 | cat <<__EOF>> /etc/unset-immutable-flags.sh 253 | #!/bin/sh 254 | 255 | # Remove immutable flags from files and folders 256 | 257 | # How to temporarily remove immutable flags, make changes to the 258 | # system and set immutable flags back again: 259 | # 260 | # kill -15 1 261 | # mount -uw / 262 | # /etc/unset-immutable-flags.sh 263 | # export TERM=vt220 264 | # 265 | # /etc/set-immutable-flags.sh 266 | # exit 267 | 268 | chflags noschg / 2>/dev/null 269 | 270 | chflags -R noschg /altroot 2>/dev/null 271 | chflags -R noschg /bin 2>/dev/null 272 | chflags -R noschg /etc 2>/dev/null 273 | chflags -R noschg /home 2>/dev/null 274 | chflags -R noschg /mfs 2>/dev/null 275 | chflags -R noschg /mnt 2>/dev/null 276 | chflags -R noschg /root 2>/dev/null 277 | chflags -R noschg /sbin 2>/dev/null 278 | chflags -R noschg /usr 2>/dev/null 279 | 280 | chflags noschg /.cshrc 2>/dev/null 281 | chflags noschg /.profile 2>/dev/null 282 | chflags noschg /boot 2>/dev/null 283 | chflags noschg /bsd 2>/dev/null 284 | chflags noschg /bsd.mp 2>/dev/null 285 | chflags noschg /bsd.rd 2>/dev/null 286 | chflags noschg /bsd.sp 2>/dev/null 287 | chflags noschg /obsd 2>/dev/null 288 | 289 | __EOF 290 | 291 | chmod 500 /etc/set-immutable-flags.sh 292 | chmod 500 /etc/unset-immutable-flags.sh 293 | 294 | 295 | ################################### 296 | ### CONFIGURE /etc/rc.firsttime ### 297 | ################################### 298 | 299 | # rc.firsttime will run once on the first normal boot 300 | 301 | cat <<'__EOF'>> /etc/rc.firsttime 302 | 303 | # Push custom cryptographic seed 2 into the kernel 304 | if [[ -f /custom-random.seed2 ]]; then 305 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 306 | rm -P /custom-random.seed2 307 | fi 308 | 309 | # Configure random mac address for network interfaces 310 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 311 | echo "lladdr random" >> $i 312 | done 313 | 314 | # Import firmware files 315 | if [[ -d /firmware ]]; then 316 | mv /firmware/* /etc/firmware/ 317 | chown root:bin /etc/firmware/* 318 | chmod 0644 /etc/firmware/* 319 | rm -r /firmware 320 | fi 321 | 322 | # Install missing firmware 323 | /usr/sbin/fw_update -v -p /etc/firmware/ 324 | 325 | ############################## 326 | ## SAVE CRYPTOGRAPHIC SEEDS ## 327 | ############################## 328 | 329 | # Push old seed into the kernel, create a future seed and create a 330 | # seed file for the boot-loader. 331 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 332 | chmod 600 /var/db/host.random 333 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 334 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 335 | chmod 600 /etc/random.seed 336 | 337 | 338 | ############################## 339 | ## FILESYSTEM MODIFICATIONS ## 340 | ############################## 341 | 342 | # Backup fstab 343 | cp -p /etc/fstab /etc/fstab-orig 344 | 345 | # Create /mfs directory 346 | mkdir /mfs/ 347 | 348 | # Copy /var to /mfs 349 | cp -rp /var /mfs/ || true 350 | rm -r /mfs/var/run/* || true 351 | rm -r /mfs/var/cache/* || true 352 | rm -r /mfs/var/cron/tabs/*.sock || true 353 | 354 | # Create /dev in /mfs 355 | mkdir /mfs/dev 356 | cp -p /dev/MAKEDEV /mfs/dev/ 357 | cd /mfs/dev/ && ./MAKEDEV all 358 | 359 | # Add /tmp entry to /etc/stab 360 | echo "" >> /etc/fstab 361 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 362 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 363 | 364 | # Add /var entry to /etc/stab 365 | echo "" >> /etc/fstab 366 | echo "# /var in RAM with 64MB" >> /etc/fstab 367 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 368 | 369 | # Add /mfs/dev entry to /etc/fstab 370 | echo "" >> /etc/fstab 371 | echo "# /dev in RAM" >> /etc/fstab 372 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 373 | 374 | # Set all ffs filesystems to read-only 375 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 376 | 377 | # Remove /etc/rc.firsttime.run 378 | if [[ -f /etc/rc.firsttime.run ]]; then 379 | rm /etc/rc.firsttime.run 380 | fi 381 | 382 | # Set files and folders to immutable 383 | /etc/set-immutable-flags.sh 384 | 385 | # Automatic reboot 386 | reboot 387 | 388 | __EOF 389 | 390 | # Remove archives 391 | for i in /*.tgz; do 392 | if [[ -f $i ]]; then 393 | rm -P $i 394 | fi 395 | done 396 | 397 | # Remove install.site 398 | if [[ -f /install.site ]]; then 399 | rm -P /install.site 400 | fi 401 | 402 | # Exit script 403 | exit 0 404 | -------------------------------------------------------------------------------- /templates/openbsd-gateway-monero-blockchain-daemon-torsocks: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="172.16.2.1" # The IP for the Monero service 8 | internal_server="172.16.2.2" # An optional server in the internal network 9 | internal_network="172.16.2.0" 10 | internal_netmask="24" # 24 = 255.255.255.0 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | tor_proxy_ip="172.16.1.1" 23 | monero_version="v0.12.2.0" 24 | monero_username="_monerod" 25 | monero_p2p_ip="127.0.0.1" 26 | monero_rpc_ip="${internal_ip}" 27 | monero_zmq_ip="${internal_ip}" 28 | monero_p2p_port="18080" 29 | monero_rpc_port="18081" 30 | monero_zmq_port="18082" 31 | monero_data_dir=".bitmonero" 32 | monero_config_file="bitmonero.conf" 33 | monero_builduser="_monerobuild" 34 | monero_mining_address="463DQj1ebHSWrsyuFTfHSTDaACx3WZtmMFMwb6QEX7asGyUBaRe2fHbhMchpZnaQ6XKXcHZLq8Vt1BRSLpbqdr283QinCRK" # Garlic Gambit address 35 | ## TODO: Kovri/I2P 36 | #i2p_socksport_default="" 37 | #i2p_socksport_monero="" 38 | #i2p_socksport_browser="" 39 | #i2p_username="" 40 | #i2p_service_dirs="" 41 | 42 | echo "" 43 | echo "### CUSTOM INSTALL SCRIPT ###" 44 | echo "" 45 | 46 | # Push custom cryptographic seed 1 into the kernel 47 | if [[ -f /custom-random.seed1 ]]; then 48 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 49 | rm -P /custom-random.seed1 50 | fi 51 | 52 | # Configure securelevel 2 on boot 53 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 54 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 55 | 56 | # Push the old cryptographic seed into the kernel on boot 57 | echo "" >> /etc/rc.local 58 | echo "# Push the old seed into the kernel on system boot" >> /etc/rc.local 59 | echo "if [[ -f /home/_kernelseed/host.random ]]; then" >> /etc/rc.local 60 | echo " dd if=/home/_kernelseed/host.random of=/dev/random bs=65536 count=1 status=none" >> /etc/rc.local 61 | echo " chmod 0600 /home/_kernelseed/host.random" >> /etc/rc.local 62 | echo "fi" >> /etc/rc.local 63 | 64 | # Create a future cryptographic seed on shutdown 65 | echo "# Create a future seed" >> /etc/rc.shutdown 66 | echo "if [[ -d /home/_kernelseed/ ]]; then" >> /etc/rc.shutdown 67 | echo ' dd if=/dev/random of=/home/_kernelseed/host.random bs=65536 count=1 status=none || 68 | echo "### WARNING: FAILED TO STORE CRYPTO SEED FOR THE KERNEL!!! ###"' >> /etc/rc.shutdown 69 | echo " chmod 0600 /home/_kernelseed/host.random" >> /etc/rc.shutdown 70 | echo "fi" >> /etc/rc.shutdown 71 | 72 | # Disable library reordering on boot 73 | echo "library_aslr=NO" >> /etc/rc.conf.local 74 | 75 | # Disable sshd on boot 76 | echo "sshd_flags=NO" >> /etc/rc.conf.local 77 | 78 | # Disable ntpd on boot 79 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 80 | 81 | # Disable ddb.panic to prevent securelevel changes 82 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 83 | echo "ddb.panic=0" >> /etc/sysctl.conf 84 | 85 | 86 | ############# 87 | ### USERS ### 88 | ############# 89 | 90 | # Add Monero build user 91 | adduser -quiet -noconfig -shell nologin -class daemon -batch "${monero_builduser}" 92 | 93 | # Add Monero daemon user 94 | adduser -quiet -noconfig -shell nologin -class daemon -batch "${monero_username}" 95 | 96 | 97 | ################################# 98 | ### PF FIREWALL CONFIGURATION ### 99 | ################################# 100 | 101 | # Backup pf firewall configuration 102 | cp /etc/pf.conf /etc/pf.conf-orig 103 | 104 | # Configure pf firewall 105 | cat <<__EOF> /etc/pf.conf 106 | 107 | ############ 108 | ## TABLES ## 109 | ############ 110 | 111 | # RFC1918 112 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 113 | 114 | # Other non-routable ip addresses 115 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 116 | 117 | ############# 118 | ## OPTIONS ## 119 | ############# 120 | 121 | ## Drop blocked packets 122 | set block-policy drop 123 | 124 | ## Allow traffic loopback interface 125 | set skip on lo 126 | 127 | ################### 128 | ## GENERAL RULES ## 129 | ################### 130 | 131 | ## Default deny policy 132 | block 133 | 134 | ## Block ipv6 traffic 135 | block quick inet6 136 | 137 | ################### 138 | ## ANTI SPOOFING ## 139 | ################### 140 | 141 | ## Antispoofing for external interface 142 | antispoof quick for egress 143 | 144 | ## Block packets with wrong source interface 145 | block in quick from urpf-failed 146 | 147 | ## Block packets with no route 148 | block in quick from no-route 149 | 150 | ########################### 151 | ## TRAFFIC NORMALIZATION ## 152 | ########################### 153 | 154 | ## Scrub all incoming packets 155 | match in all scrub (no-df max-mss 1440) 156 | 157 | ## Scrub outbound packets 158 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 159 | 160 | ################### 161 | ## INBOUND RULES ## 162 | ################### 163 | 164 | ## Allow inbound SSH traffic from ${internal_network} to ${internal_ip} 165 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port 22 user root 166 | 167 | ## DISABLED: Tor controlport is disabled for security reasons 168 | ## 169 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 170 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_controlport} user root 171 | 172 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 173 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_default} user root 174 | 175 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 176 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_mua} user root 177 | 178 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 179 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_tails} user root 180 | 181 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 182 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_browser} user root 183 | 184 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 185 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion} user root 186 | 187 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 188 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion_auth} user root 189 | 190 | ## Allow inbound traffic to Monero P2P Port ${monero_p2p_port} 191 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${monero_p2p_ip} port ${monero_p2p_port} user ${monero_username} 192 | 193 | ## Allow inbound traffic to Monero RPC Port ${monero_rpc_port} 194 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${monero_rpc_ip} port ${monero_rpc_port} user ${monero_username} 195 | 196 | ## Allow inbound traffic to Monero ZMQ Port ${monero_zmq_port} 197 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${monero_zmq_ip} port ${monero_zmq_port} user ${monero_username} 198 | 199 | ## EXAMPLE RULES FOR TOR .ONION SERVICES 200 | 201 | ## Allow inbound traffic from ${tor_proxy_ip} to Monero P2P Port ${monero_p2p_port} 202 | #pass in quick on egress inet proto tcp from ${tor_proxy_ip} to self port ${monero_p2p_port} user ${monero_username} 203 | 204 | ## Allow inbound traffic from ${tor_proxy_ip} to Monero RPC Port ${monero_rpc_port} 205 | #pass in quick on egress inet proto tcp from ${tor_proxy_ip} to self port ${monero_rpc_port} user ${monero_username} 206 | 207 | ## Allow inbound traffic from ${tor_proxy_ip} to Monero ZMQ Port ${monero_zmq_port} 208 | #pass in quick on egress inet proto tcp from ${tor_proxy_ip} to self port ${monero_zmq_port} user ${monero_username} 209 | 210 | ############## 211 | ## REDIRECT ## 212 | ############## 213 | 214 | ## DISABLED: Use torsocks on the remote system to route traffic 215 | ## through this Tor proxy. 216 | ## 217 | ## Redirect DNS traffic from ${internal_network} to the Tor DNSPort 218 | #pass in quick on ! egress inet proto udp from ${internal_network}/${internal_netmask} to ${internal_ip} port 53 rdr-to ${internal_ip} port ${tor_dnsport} 219 | 220 | ## DISABLED: Use torsocks on the remote system to route traffic 221 | ## through this Tor proxy. 222 | ## 223 | ## Redirect all TCP traffic from ${internal_network} to the Tor TransPort 224 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to ${internal_ip} port ${tor_transport} 225 | 226 | ## EXAMPLE RULES 227 | ## 228 | ## Example rules for a stricter firewall ruleset. You need to 229 | ## disable the 'Redirect all TCP traffic from ${internal_network} to 230 | ## the Tor TransPort' rule with a '#' 231 | 232 | ## Redirect SSH traffic from ${internal_network} to the Tor TransPort 233 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to ${internal_ip} port ${tor_transport} 234 | 235 | ## Redirect MAIL traffic from ${internal_network} to the Tor TransPort 236 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to ${internal_ip} port ${tor_transport} 237 | 238 | ## Redirect HTTP(S) traffic from ${internal_network} to the Tor TransPort 239 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to ${internal_ip} port ${tor_transport} 240 | 241 | ## Redirect XMPP and IRC traffic from ${internal_network} to Tor TransPort 242 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to ${internal_ip} port ${tor_transport} 243 | 244 | ## Redirect Bitcoin traffic from ${internal_network} to the Tor TransPort 245 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to ${internal_ip} port ${tor_transport} 246 | 247 | ## Redirect Monero traffic from ${internal_network} to the Tor TransPort 248 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to ${internal_ip} port ${tor_transport} 249 | 250 | #################### 251 | ## OUTBOUND RULES ## 252 | #################### 253 | 254 | ## Allow outbound traffic from this system to DHCP 255 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 256 | 257 | ## Allow outbound traffic from Monero daemon to the Tor 258 | ## SocksPort ${tor_socksport_default} on ${tor_proxy_ip} 259 | pass out quick on egress inet proto tcp from (egress) to ${tor_proxy_ip} port ${tor_socksport_default} user ${monero_username} 260 | 261 | ## Allow outbound traffic from Monero daemon 262 | #pass out quick on egress inet proto tcp from (egress) to any user ${monero_username} 263 | 264 | ## Block all outbound traffic to RFC1918 local area network addresses 265 | block out quick on egress inet from any to 266 | 267 | ## Block all outbound traffic to other non-routable addresses 268 | block out quick on egress inet from any to 269 | 270 | ## Allow outbound traffic from Tor service 271 | #pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 272 | 273 | ########################## 274 | ## ONION SERVICES RULES ## 275 | ########################## 276 | 277 | ## Allow outbound traffic from Tor service to the SSH port on 278 | ## onion service ${internal_server} 279 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 22 user ${tor_username} 280 | 281 | ## Allow outbound traffic from Tor service to the HTTP port on 282 | ## onion service ${internal_server} 283 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 80 user ${tor_username} 284 | 285 | ## Allow outbound traffic from Tor service to the HTTPS port on 286 | ## onion service ${internal_server} 287 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 443 user ${tor_username} 288 | 289 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 290 | ## onion service ${internal_server} 291 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8332 user ${tor_username} 292 | 293 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 294 | ## onion service ${internal_server} 295 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8333 user ${tor_username} 296 | 297 | ## Allow outbound traffic from Tor service to the Monero P2P port on 298 | ## onion service ${internal_server} 299 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18080 user ${tor_username} 300 | 301 | ## Allow outbound traffic from Tor service to the Monero RPC port on 302 | ## onion service ${internal_server} 303 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18081 user ${tor_username} 304 | 305 | __EOF 306 | # End of pf firewall configuration 307 | 308 | 309 | ########################## 310 | #### TOR CONFIGURATION ### 311 | ########################## 312 | # 313 | ## Install packages during install 314 | #pkg_add tor 315 | # 316 | ## Import manually created Tor onion services 317 | #for i in "${tor_onion_service_dirs}"*; do 318 | # if [[ -d $i ]]; then 319 | # mv $i /var/tor/ 320 | # chown -R "${tor_username}":"${tor_username}" /var/tor/$i 321 | # chmod 0700 /var/tor/$i 322 | # chmod 0600 /var/tor/$i/* 323 | # echo "$i is deployed in /var/tor/" 324 | # fi 325 | #done 326 | # 327 | ## Backup Tor configuration 328 | #cp /etc/tor/torrc /etc/tor/torrc-orig 329 | # 330 | ## Configure Tor 331 | #cat <<__EOF>> /etc/tor/torrc 332 | # 333 | ### Do not remove or edit DisableNetwork. This is part of the 334 | ### installation process. 335 | #DisableNetwork 1 336 | # 337 | ################################################# 338 | #### Customizations based on torrc from Tails ### 339 | ################################################# 340 | # 341 | ### Disable all SocksPort connections 342 | ##SocksPort 0 343 | # 344 | ### Default SocksPort 345 | #SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 346 | ### SocksPort for the MUA 347 | #SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 348 | ### SocksPort for Tails-specific applications 349 | #SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 350 | ### SocksPort for the default web browser 351 | #SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 352 | # 353 | ### Onion traffic only SocksPorts 354 | ### 355 | ### SocksPort for .onion only applications 356 | #SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 357 | ### SocksPort for .onion only applications with socks authentication 358 | #SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 359 | # 360 | ### FIXME: ControlPort is disabled for security reasons 361 | ### 362 | ### The port on which Tor will listen for local connections from Tor 363 | ### controller applications, as documented in control-spec.txt. 364 | ##ControlPort 9052 365 | ##ControlListenAddress ${internal_ip} 366 | # 367 | ### DISABLED: Use torsocks on the remote system to route traffic 368 | ### through this Tor proxy. 369 | ### 370 | ### Torified DNS 371 | ##DNSPort ${internal_ip}:${tor_dnsport} 372 | #AutomapHostsOnResolve 1 373 | #AutomapHostsSuffixes .exit,.onion 374 | # 375 | ### DISABLED: Use torsocks on the remote system to route traffic 376 | ### through this Tor proxy. 377 | ### 378 | ### Transparent proxy 379 | ##TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 380 | ### Disabled: deprecated option 381 | ##TransListenAddress ${internal_ip} 382 | # 383 | ### Misc 384 | #AvoidDiskWrites 1 385 | # 386 | ### Disabled: deprecated option 387 | ### We don't care if applications do their own DNS lookups since our Tor 388 | ### enforcement will handle it safely. 389 | ##WarnUnsafeSocks 0 390 | # 391 | ### Disable default warnings on StartTLS for email. Let's not train our 392 | ### users to click through security warnings. 393 | #WarnPlaintextPorts 23,109 394 | # 395 | ############################# 396 | #### Local onion services ### 397 | ############################# 398 | # 399 | ### Example onion service configurations 400 | ### 401 | ### Uncomment HiddenServiceDir and HiddenServicePort to enable 402 | ### a Tor onion service. Make sure you use the right port and 403 | ### IP address combination. Check the hostname file to obtain the 404 | ### .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 405 | ### 406 | ### You can only configure one onion service per HiddenServiceDir. 407 | ### If you want to run multiple onion services you need to create 408 | ### multiple HiddenServiceDirs. It is possible to forward multiple 409 | ### ports to the same .onion service. 410 | ### 411 | ### Example with two .onion services: 412 | ### 413 | ### HiddenServiceDir /var/tor/hidden_service/ 414 | ### HiddenServicePort 22 127.0.0.1:22 # Single port 415 | ### 416 | ### HiddenServiceDir /var/tor/hidden_service_www/ 417 | ### HiddenServicePort 80 127.0.0.1:80 # Multiple ports 418 | ### HiddenServicePort 443 127.0.0.1:443 # Multiple ports 419 | ### HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 420 | ### 421 | ### Optional: Uncomment HiddenServiceAuthorizeClient to enable client 422 | ### authorization for an onion service. 423 | ### The authorization key and .onion address can be found in the 424 | ### hostname file. Clients need to add the authorization key to their 425 | ### local Tor torrc configuration with the 'HidServAuth' option. 426 | ### 427 | ### Example HidServAuth configuration for a Tor client: 428 | ### HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 429 | ### 430 | ### Optional: Uncomment HiddenServiceVersion 3 to configure next 431 | ### generation onion services which have better crypto and longer 432 | ### .onion hostnames. Requires Tor version 0.3.2.x or later. 433 | ### HiddenServiceVersion 3 is currently not compatible with 434 | ### HiddenServiceAuthorizeClient. 435 | # 436 | ### Onion service for the SSH server on this system 437 | ##HiddenServiceDir /var/tor/hidden_service/ 438 | ##HiddenServicePort 22 127.0.0.1:22 439 | ### Optional client authorization for three clients 440 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 441 | ### Optional version 3 next generation .onion service 442 | ##HiddenServiceVersion 3 443 | # 444 | ### Onion service for the webserver on this system 445 | ##HiddenServiceDir /var/tor/hidden_service_www/ 446 | ##HiddenServicePort 80 127.0.0.1:80 447 | ### Optional client authorization for three clients 448 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 449 | ### Optional version 3 next generation .onion service 450 | ##HiddenServiceVersion 3 451 | # 452 | ### Onion service for the SSH server on ${internal_server} 453 | ##HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 454 | ##HiddenServicePort 22 ${internal_server}:22 455 | ### Optional client authorization for three clients 456 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 457 | ### Optional version 3 next generation .onion service 458 | ##HiddenServiceVersion 3 459 | # 460 | ### Onion service for the webserver on ${internal_server} 461 | ##HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 462 | ##HiddenServicePort 80 ${internal_server}:80 463 | ### Optional client authorization for three clients 464 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 465 | ### Optional version 3 next generation .onion service 466 | ##HiddenServiceVersion 3 467 | # 468 | ### Onion service for the Bitcoin RPC wallet service on ${internal_server} 469 | ##HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 470 | ##HiddenServicePort 8332 ${internal_server}:8332 471 | ### Optional client authorization for three clients 472 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 473 | ### Optional version 3 next generation .onion service 474 | ##HiddenServiceVersion 3 475 | # 476 | ### Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 477 | ##HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 478 | ##HiddenServicePort 8333 ${internal_server}:8333 479 | ### Optional client authorization for three clients 480 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 481 | ### Optional version 3 next generation .onion service 482 | ##HiddenServiceVersion 3 483 | # 484 | ### Onion service for the Monero P2P blockchain sync on ${internal_server} 485 | ##HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 486 | ##HiddenServicePort 18080 ${internal_server}:18080 487 | ### Optional client authorization for three clients 488 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 489 | ### Optional version 3 next generation .onion service 490 | ##HiddenServiceVersion 3 491 | # 492 | ### Onion service for the Monero RPC wallet service on ${internal_server} 493 | ##HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 494 | ##HiddenServicePort 18081 ${internal_server}:18081 495 | ### Optional client authorization for three clients 496 | ##HiddenServiceAuthorizeClient stealth client1,client2,client3 497 | ### Optional version 3 next generation .onion service 498 | ##HiddenServiceVersion 3 499 | # 500 | ############################## 501 | #### Remote onion services ### 502 | ############################## 503 | # 504 | ### In this section you can configure the authorization data for 505 | ### stealth onion services that are hosted on a remote location. 506 | ### Local Tor socks clients will be able to use these onion services. 507 | ### The authorization key and .onion address can be found in the 508 | ### hostname file on the remote .onion service. 509 | ### 510 | ### Example: 511 | ### HidServAuth hostname.onion authorization-key 512 | ### HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 513 | # 514 | ### Remote onion service 1 515 | ### Comment: Offsite backup system 516 | ##HidServAuth hostname.onion authorization-key 517 | # 518 | ### Remote onion service 2 519 | ### Comment: Remote Monero system 520 | ##HidServAuth hostname.onion authorization-key 521 | # 522 | ### Remote onion service 3 523 | ### Comment: Remote security monitoring system 524 | ##HidServAuth hostname.onion authorization-key 525 | # 526 | #__EOF 527 | ## End of torrc configuration 528 | 529 | 530 | ####################### 531 | ### Immutable flags ### 532 | ####################### 533 | 534 | cat <<__EOF>> /etc/set-immutable-flags.sh 535 | #!/bin/sh 536 | 537 | # Set immutable flags on files and folders 538 | 539 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 540 | # immutable flags. 541 | 542 | chflags schg / 2>/dev/null 543 | 544 | chflags -R schg /altroot 2>/dev/null 545 | chflags -R schg /bin 2>/dev/null 546 | chflags -R schg /etc 2>/dev/null 547 | #chflags -R schg /home 2>/dev/null 548 | chflags -R schg /mfs 2>/dev/null 549 | chflags -R schg /mnt 2>/dev/null 550 | chflags -R schg /root 2>/dev/null 551 | chflags -R schg /sbin 2>/dev/null 552 | chflags -R schg /usr 2>/dev/null 553 | 554 | chflags schg /.cshrc 2>/dev/null 555 | chflags schg /.profile 2>/dev/null 556 | chflags schg /boot 2>/dev/null 557 | chflags schg /bsd 2>/dev/null 558 | chflags schg /bsd.mp 2>/dev/null 559 | chflags schg /bsd.rd 2>/dev/null 560 | chflags schg /bsd.sp 2>/dev/null 561 | chflags schg /obsd 2>/dev/null 562 | 563 | # Monero 564 | chflags schg /home 2>/dev/null 565 | chflags -R schg /home/"${monero_builduser}" 2>/dev/null 566 | #chflags schg /home/"${monero_username}" 2>/dev/null 567 | chflags schg /home/"${monero_username}"/monerod.sh 2>/dev/null 568 | #chflags schg /home/"${monero_username}"/"${monero_data_dir}" 2>/dev/null 569 | #chflags schg /home/"${monero_username}"/"${monero_data_dir}"/"${monero_config_file}" 2>/dev/null 570 | #chflags schg /home/"${monero_username}"/"${monero_data_dir}"/lmdb 2>/dev/null 571 | 572 | __EOF 573 | 574 | cat <<__EOF>> /etc/unset-immutable-flags.sh 575 | #!/bin/sh 576 | 577 | # Remove immutable flags from files and folders 578 | 579 | # How to temporarily remove immutable flags, make changes to the 580 | # system and set immutable flags back again: 581 | # 582 | # kill -15 1 583 | # mount -uw / 584 | # /etc/unset-immutable-flags.sh 585 | # export TERM=vt220 586 | # 587 | # /etc/set-immutable-flags.sh 588 | # exit 589 | 590 | chflags noschg / 2>/dev/null 591 | 592 | chflags -R noschg /altroot 2>/dev/null 593 | chflags -R noschg /bin 2>/dev/null 594 | chflags -R noschg /etc 2>/dev/null 595 | chflags -R noschg /home 2>/dev/null 596 | chflags -R noschg /mfs 2>/dev/null 597 | chflags -R noschg /mnt 2>/dev/null 598 | chflags -R noschg /root 2>/dev/null 599 | chflags -R noschg /sbin 2>/dev/null 600 | chflags -R noschg /usr 2>/dev/null 601 | 602 | chflags noschg /.cshrc 2>/dev/null 603 | chflags noschg /.profile 2>/dev/null 604 | chflags noschg /boot 2>/dev/null 605 | chflags noschg /bsd 2>/dev/null 606 | chflags noschg /bsd.mp 2>/dev/null 607 | chflags noschg /bsd.rd 2>/dev/null 608 | chflags noschg /bsd.sp 2>/dev/null 609 | chflags noschg /obsd 2>/dev/null 610 | 611 | __EOF 612 | 613 | chmod 500 /etc/set-immutable-flags.sh 614 | chmod 500 /etc/unset-immutable-flags.sh 615 | 616 | ###################### 617 | ## CONFIGURE MONERO ## 618 | ###################### 619 | 620 | # Compile and configure monero 621 | cat <<__EOF>> /monero_config.sh 622 | #!/bin/sh 623 | 624 | set -u 625 | set -e 626 | 627 | # Add /usr/local/bin to PATH for cmake and git 628 | export PATH=\$PATH:/usr/local/bin 629 | 630 | # Install packages 631 | pkg_add /cmake /miniupnpc /zeromq /libiconv /git /torsocks 632 | 633 | # Set stricter permissions on home directory 634 | chmod 0700 /home/"${monero_builduser}" 635 | 636 | # Configure doas 637 | echo "permit nopass root as ${monero_builduser}" >> /etc/doas.conf 638 | 639 | # Create boost directory 640 | boost_version="1_64_0" 641 | doas -u "${monero_builduser}" mkdir /home/"${monero_builduser}"/boost 642 | 643 | # Move boost archive 644 | mv /boost_"\${boost_version}".tar.bz2 /home/"${monero_builduser}"/boost/ 645 | 646 | # Extract boost archive 647 | doas -u "${monero_builduser}" tar xfj /home/"${monero_builduser}"/boost/boost_"\${boost_version}".tar.bz2 -C /home/"${monero_builduser}"/boost/ 648 | 649 | # Move boost patches 650 | mv /boost_test_impl_execution_monitor_ipp.patch /home/"${monero_builduser}"/boost/boost_test_impl_execution_monitor_ipp.patch 651 | mv /boost_config_platform_bsd_hpp.patch /home/"${monero_builduser}"/boost/boost_config_platform_bsd_hpp.patch 652 | 653 | # Change directory to boost directory 654 | cd /home/"${monero_builduser}"/boost/boost_"\${boost_version}" 655 | 656 | # Patch boost 657 | doas -u "${monero_builduser}" patch -p0 < ../boost_test_impl_execution_monitor_ipp.patch 658 | doas -u "${monero_builduser}" patch -p0 < ../boost_config_platform_bsd_hpp.patch 659 | 660 | # Configure user-config.jam 661 | echo 'using clang : : c++ : "-fvisibility=hidden -fPIC" "" "ar" "strip" "ranlib" "" : ;' > user-config.jam 662 | 663 | # Run bootstrap.sh 664 | doas -u "${monero_builduser}" ./bootstrap.sh --without-icu --with-libraries=chrono,filesystem,program_options,system,thread,test,date_time,regex,serialization,locale --with-toolset=clang 665 | 666 | # Run b2 667 | doas -u "${monero_builduser}" ./b2 toolset=clang cxxflags="-stdlib=libc++" linkflags="-stdlib=libc++" -sICONV_PATH=/usr/local 668 | 669 | # Install boost 670 | ./b2 -d0 runtime-link=shared threadapi=pthread threading=multi link=static variant=release --layout=tagged --build-type=complete --user-config=user-config.jam -sNO_BZIP2=1 -sICONV_PATH=/usr/local --prefix=/usr/local install 671 | 672 | # Create cppzmq directory 673 | cppzmq_version="4.2.3" 674 | doas -u "${monero_builduser}" mkdir /home/"${monero_builduser}"/cppzmq 675 | 676 | # Move cppzmq archive 677 | mv /cppzmq-"\${cppzmq_version}".tar.gz /home/"${monero_builduser}"/cppzmq/ 678 | 679 | # Extract cppzmq archive 680 | doas -u "${monero_builduser}" tar xfz /home/"${monero_builduser}"/cppzmq/cppzmq-"\${cppzmq_version}".tar.gz -C /home/"${monero_builduser}"/cppzmq/ 681 | 682 | # Change directory to cppzmq directory 683 | cd /home/"${monero_builduser}"/cppzmq/cppzmq-"\${cppzmq_version}" 684 | 685 | # Create build directory 686 | doas -u "${monero_builduser}" mkdir build 687 | 688 | # Change directory to build directory 689 | cd build 690 | 691 | # Run cmake 692 | doas -u "${monero_builduser}" cmake .. 693 | 694 | # Install cppzmq 695 | make install 696 | 697 | # Move monero source code directory 698 | mv /monero /home/"${monero_builduser}"/ 699 | 700 | # Set permissions on monero directory 701 | chmod 0700 /home/"${monero_builduser}"/monero/ 702 | chown -R "${monero_builduser}":"${monero_builduser}" /home/"${monero_builduser}"/monero/ 703 | 704 | # Change directory to monero directory 705 | cd /home/"${monero_builduser}"/monero/ 706 | 707 | # Checkout the latest stable monero release 708 | doas -u "${monero_builduser}" git checkout "${monero_version}" 709 | 710 | # Compile monero 711 | doas -u "${monero_builduser}" env DEVELOPER_LOCAL_TOOLS=1 BOOST_ROOT=/usr/local && make release-static 712 | 713 | # Set stricter permissions on home directory 714 | chmod 0700 /home/"${monero_username}" 715 | 716 | # Copy monero binaries to /usr/local/bin/ 717 | cp /home/"${monero_builduser}"/monero/build/release/bin/* /usr/local/bin/ 718 | 719 | # Set permissions monero binaries 720 | chmod 0555 /usr/local/bin/monero* 721 | chown root:bin /usr/local/bin/monero* 722 | 723 | # Create monero data directory 724 | mkdir /home/"${monero_username}"/"${monero_data_dir}" 725 | 726 | # Deploy monero configuration 727 | mv /"${monero_config_file}" /home/"${monero_username}"/"${monero_data_dir}" 728 | 729 | # Set permissions on monero data directory 730 | chmod 0700 /home/"${monero_username}"/"${monero_data_dir}" 731 | chown -R "${monero_username}":"${monero_username}" /home/"${monero_username}"/"${monero_data_dir}" 732 | chmod 0600 /home/"${monero_username}"/"${monero_data_dir}"/"${monero_config_file}" 733 | 734 | # Start monerod daemon on boot 735 | mv /monerod.sh /home/"${monero_username}"/ 736 | echo "" >> /etc/rc.local 737 | echo "# Start monerod daemon on system boot" >> /etc/rc.local 738 | echo "/home/${monero_username}/monerod.sh" >> /etc/rc.local 739 | 740 | __EOF 741 | 742 | chmod 0500 /monero_config.sh 743 | 744 | ################################# 745 | ### Monero configuration file ### 746 | ################################# 747 | 748 | # Configure monero configuration file 749 | cat <<__EOF> /"${monero_config_file}" 750 | restricted-rpc=1 751 | hide-my-port=1 752 | no-igd=1 753 | confirm-external-bind=1 754 | rpc-bind-ip=${monero_rpc_ip} 755 | p2p-bind-ip=${monero_p2p_ip} 756 | zmq-rpc-bind-ip=${monero_zmq_ip} 757 | rpc-bind-port=${monero_rpc_port} 758 | p2p-bind-port=${monero_p2p_port} 759 | zmq-rpc-bind-port=${monero_zmq_port} 760 | data-dir=/home/${monero_username}/${monero_data_dir} 761 | #log-file=/home/${monero_username}/${monero_data_dir}/bitmonero.log 762 | #log-file=/dev/null # Disable logging 763 | #log-level=0 764 | #max-log-file-size=104850000 # 100MB 765 | #max-concurrency=0 766 | #enforce-dns-checkpointing=1 767 | #prep-blocks-threads=4 768 | #fast-block-sync=1 769 | #show-time-stats=0 770 | #block-sync-size=0 771 | #check-updates=notify 772 | #max-txpool-size=648000000 773 | #start-mining=${monero_mining_address} 774 | #mining-threads= 775 | #bg-mining-enable= 776 | #bg-mining-ignore-battery= 777 | #bg-mining-min-idle-interval= 778 | #bg-mining-idle-threshold= 779 | #bg-mining-miner-target= 780 | #db-type=lmdb 781 | #db-sync-mode=fast:async:1000 782 | #db-salvage= 783 | #p2p-external-port= 784 | #allow-local-ip= 785 | #add-peer= 786 | #add-priority-node= 787 | #add-exclusive-node= 788 | #seed-node= 789 | #out-peers= 790 | #in-peers= 791 | #tos-flag= 792 | #limit-rate-up= 793 | #limit-rate-down= 794 | #limit-rate= 795 | #save-graph= 796 | #rpc-restricted-bind-port= 797 | #bootstrap-daemon-address= # Add .onion address Monero daemon of a friend 798 | #bootstrap-daemon-login= 799 | #rpc-login= 800 | #rpc-access-control-origins= 801 | 802 | __EOF 803 | 804 | ############################# 805 | ### Monero startup script ### 806 | ############################# 807 | 808 | # Configure monerod startup script 809 | cat <<__EOF> /monerod.sh 810 | #/bin/sh 811 | 812 | set -u 813 | set -e 814 | 815 | daemon="/usr/local/bin/monerod" 816 | daemon_flags="--detach --config-file /home/${monero_username}/${monero_data_dir}/${monero_config_file}" 817 | torsocks_daemon="/usr/local/bin/torsocks" 818 | torsocks_daemon_flags="--address ${tor_proxy_ip} --port ${tor_socksport_default}" 819 | 820 | # Run as root 821 | if [ ! \$(id -u) = '0' ]; then 822 | echo "Run this script as root." 823 | exit 1 824 | fi 825 | 826 | # Check if monerod is running 827 | if pgrep -q -xf "\${daemon} \${daemon_flags}"; then 828 | echo "\${daemon} is already running." 829 | exit 0 830 | else 831 | echo "Starting \${daemon}" 832 | fi 833 | 834 | # Remove p2pstate.bin 835 | if [[ -f /home/"${monero_username}"/"${monero_data_dir}"/p2pstate.bin ]]; then 836 | rm -P /home/"${monero_username}"/"${monero_data_dir}"/p2pstate.bin 837 | fi 838 | 839 | # Start monerod daemon 840 | #su -l -c daemon -s /bin/sh "${monero_username}" -c "\${daemon} \${daemon_flags}" 841 | 842 | # Start monerod daemon with torsocks 843 | su -l -c daemon -s /bin/sh "${monero_username}" -c "TORSOCKS_ALLOW_INBOUND=1 DNS_PUBLIC=tcp \${torsocks_daemon} \${torsocks_daemon_flags} \${daemon} \${daemon_flags}" 844 | 845 | __EOF 846 | 847 | chmod 0555 /monerod.sh 848 | 849 | ####################### 850 | ### Install editors ### 851 | ####################### 852 | 853 | # Install editors 854 | cat <<__EOF> /editors.sh 855 | #!/bin/ksh 856 | 857 | # Install nano 858 | if [ -f /nano-[[:digit:]].[[:digit:]].+([[:alnum:]]).tgz ]; then 859 | pkg_add /nano 860 | fi 861 | 862 | # Install vim 863 | if [ -f /vim-[[:digit:]].[[:digit:]].+([[:alnum:]])-no_x11.tgz ]; then 864 | pkg_add /vim 865 | fi 866 | 867 | __EOF 868 | 869 | chmod 0500 /editors.sh 870 | 871 | ########################## 872 | ### Install misc tools ### 873 | ########################## 874 | 875 | # Install editors 876 | cat <<__EOF> /misc_tools.sh 877 | #!/bin/ksh 878 | 879 | # Install screen 880 | if [ -f /screen-[[:digit:]].[[:digit:]].+([[:alnum:]]).tgz ]; then 881 | pkg_add /screen 882 | fi 883 | 884 | __EOF 885 | 886 | chmod 0500 /misc_tools.sh 887 | 888 | ################################### 889 | ### CONFIGURE /etc/rc.firsttime ### 890 | ################################### 891 | 892 | # rc.firsttime will run once on the first normal boot 893 | 894 | cat <<'__EOF'>> /etc/rc.firsttime 895 | 896 | # Push custom cryptographic seed 2 into the kernel 897 | if [[ -f /custom-random.seed2 ]]; then 898 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 899 | rm -P /custom-random.seed2 900 | fi 901 | 902 | # Start Tor without network access and let it generate onion services 903 | #grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 904 | 905 | # Give Tor some time to generate the .onion services 906 | #sleep 10 907 | 908 | # Stop Tor 909 | #/etc/rc.d/tor stop 910 | 911 | # Cleanup Tor files 912 | #for i in lock state; do 913 | # if [[ -f /var/tor/$i ]]; then 914 | # rm -P /var/tor/$i 915 | # fi 916 | #done 917 | 918 | # Allow Tor to the network 919 | #sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 920 | 921 | # Enable Tor at boot 922 | #echo "pkg_scripts=tor" >> /etc/rc.conf.local 923 | 924 | # Configure random mac address for network interfaces 925 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 926 | echo "lladdr random" >> $i 927 | done 928 | 929 | # Import firmware files 930 | if [[ -d /firmware ]]; then 931 | mv /firmware/* /etc/firmware/ 932 | chown root:bin /etc/firmware/* 933 | chmod 0644 /etc/firmware/* 934 | rm -r /firmware 935 | fi 936 | 937 | # Install missing firmware 938 | /usr/sbin/fw_update -v -p /etc/firmware/ 939 | 940 | ############# 941 | ## EDITORS ## 942 | ############# 943 | 944 | # Install editors 945 | if [[ -x /editors.sh ]]; then 946 | /editors.sh && 947 | rm -P /editors.sh 948 | fi 949 | 950 | ################ 951 | ## MISC TOOLS ## 952 | ################ 953 | 954 | # Install misc tools 955 | if [[ -x /misc_tools.sh ]]; then 956 | /misc_tools.sh && 957 | rm -P /misc_tools.sh 958 | fi 959 | 960 | ###################### 961 | ## CONFIGURE MONERO ## 962 | ###################### 963 | 964 | # Compile and configure monero 965 | if [[ -x /monero_config.sh ]]; then 966 | /monero_config.sh && 967 | rm -P /monero_config.sh 968 | fi 969 | 970 | ############# 971 | ## CLEANUP ## 972 | ############# 973 | 974 | # Remove archives 975 | for i in /*.tgz; do 976 | if [[ -f $i ]]; then 977 | rm -P $i 978 | fi 979 | done 980 | 981 | ############################## 982 | ## SAVE CRYPTOGRAPHIC SEEDS ## 983 | ############################## 984 | 985 | # Push old seed into the kernel, create a future seed and create a 986 | # seed file for the boot-loader. 987 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 988 | chmod 600 /var/db/host.random 989 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 990 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 991 | chmod 600 /etc/random.seed 992 | 993 | # Create a location to store the cryptographic seed for the kernel 994 | mkdir /home/_kernelseed/ 995 | chmod 0700 /home/_kernelseed/ 996 | 997 | 998 | ############################## 999 | ## FILESYSTEM MODIFICATIONS ## 1000 | ############################## 1001 | 1002 | # Backup fstab 1003 | cp -p /etc/fstab /etc/fstab-orig 1004 | 1005 | # Create /mfs directory 1006 | mkdir /mfs/ 1007 | 1008 | # Copy /var to /mfs 1009 | cp -rp /var /mfs/ || true 1010 | rm -r /mfs/var/run/* || true 1011 | rm -r /mfs/var/cache/* || true 1012 | rm -r /mfs/var/cron/tabs/*.sock || true 1013 | 1014 | # Create /dev in /mfs 1015 | mkdir /mfs/dev 1016 | cp -p /dev/MAKEDEV /mfs/dev/ 1017 | cd /mfs/dev/ && ./MAKEDEV all 1018 | 1019 | # Add /tmp entry to /etc/stab 1020 | echo "" >> /etc/fstab 1021 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 1022 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 1023 | 1024 | # Add /var entry to /etc/stab 1025 | echo "" >> /etc/fstab 1026 | echo "# /var in RAM with 64MB" >> /etc/fstab 1027 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 1028 | 1029 | # Add /mfs/dev entry to /etc/fstab 1030 | echo "" >> /etc/fstab 1031 | echo "# /dev in RAM" >> /etc/fstab 1032 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 1033 | 1034 | # Set all ffs filesystems to read-only 1035 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 1036 | 1037 | # Set /home to read-write and noatime for monero storage 1038 | sed -i 's# /home ffs ro# /home ffs rw,noatime,#' /etc/fstab 1039 | 1040 | # Remove /etc/rc.firsttime.run 1041 | if [[ -f /etc/rc.firsttime.run ]]; then 1042 | rm /etc/rc.firsttime.run 1043 | fi 1044 | 1045 | # Set files and folders to immutable 1046 | /etc/set-immutable-flags.sh 1047 | 1048 | # Automatic reboot 1049 | reboot 1050 | 1051 | __EOF 1052 | 1053 | 1054 | # Remove install.site 1055 | if [[ -f /install.site ]]; then 1056 | rm -P /install.site 1057 | fi 1058 | 1059 | # Exit script 1060 | exit 0 1061 | -------------------------------------------------------------------------------- /templates/openbsd-gateway-tor-socks-and-transparent: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="172.16.1.1" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server in the internal network 9 | internal_network="172.16.1.0" 10 | internal_netmask="24" # 24 = 255.255.255.0 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic from ${internal_network} to ${internal_ip} 125 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_controlport} user root 131 | 132 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 133 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_default} user root 134 | 135 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 136 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_mua} user root 137 | 138 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 139 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_tails} user root 140 | 141 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 142 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_browser} user root 143 | 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 145 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion} user root 146 | 147 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 148 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion_auth} user root 149 | 150 | #################### 151 | ## REDIRECT RULES ## 152 | #################### 153 | 154 | ## Redirect DNS traffic from ${internal_network} to the Tor DNSPort 155 | pass in quick on ! egress inet proto udp from ${internal_network}/${internal_netmask} to ${internal_ip} port 53 rdr-to ${internal_ip} port ${tor_dnsport} 156 | 157 | ## Redirect all TCP traffic from ${internal_network} to the Tor TransPort 158 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to ${internal_ip} port ${tor_transport} 159 | 160 | ## EXAMPLE RULES 161 | ## 162 | ## Example rules for a stricter firewall ruleset. You need to 163 | ## disable the 'Redirect all TCP traffic from ${internal_network} to 164 | ## the Tor TransPort' rule with a '#' 165 | 166 | ## Redirect SSH traffic from ${internal_network} to the Tor TransPort 167 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to ${internal_ip} port ${tor_transport} 168 | 169 | ## Redirect MAIL traffic from ${internal_network} to the Tor TransPort 170 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to ${internal_ip} port ${tor_transport} 171 | 172 | ## Redirect HTTP(S) traffic from ${internal_network} to the Tor TransPort 173 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to ${internal_ip} port ${tor_transport} 174 | 175 | ## Redirect XMPP and IRC traffic from ${internal_network} to Tor TransPort 176 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to ${internal_ip} port ${tor_transport} 177 | 178 | ## Redirect Bitcoin traffic from ${internal_network} to the Tor TransPort 179 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to ${internal_ip} port ${tor_transport} 180 | 181 | ## Redirect Monero traffic from ${internal_network} to the Tor TransPort 182 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to ${internal_ip} port ${tor_transport} 183 | 184 | #################### 185 | ## OUTBOUND RULES ## 186 | #################### 187 | 188 | ## Allow outbound traffic from this system to DHCP 189 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 190 | 191 | ## Block all outbound traffic to RFC1918 local area network addresses 192 | block out quick on egress inet from any to 193 | 194 | ## Block all outbound traffic to other non-routable addresses 195 | block out quick on egress inet from any to 196 | 197 | ## Allow outbound traffic from Tor service 198 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 199 | 200 | ########################## 201 | ## ONION SERVICES RULES ## 202 | ########################## 203 | 204 | ## Allow outbound traffic from Tor service to the SSH port on 205 | ## onion service ${internal_server} 206 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 22 user ${tor_username} 207 | 208 | ## Allow outbound traffic from Tor service to the HTTP port on 209 | ## onion service ${internal_server} 210 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 80 user ${tor_username} 211 | 212 | ## Allow outbound traffic from Tor service to the HTTPS port on 213 | ## onion service ${internal_server} 214 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 443 user ${tor_username} 215 | 216 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 217 | ## onion service ${internal_server} 218 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8332 user ${tor_username} 219 | 220 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 221 | ## onion service ${internal_server} 222 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8333 user ${tor_username} 223 | 224 | ## Allow outbound traffic from Tor service to the Monero P2P port on 225 | ## onion service ${internal_server} 226 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18080 user ${tor_username} 227 | 228 | ## Allow outbound traffic from Tor service to the Monero RPC port on 229 | ## onion service ${internal_server} 230 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18081 user ${tor_username} 231 | 232 | __EOF 233 | # End of pf firewall configuration 234 | 235 | 236 | ######################### 237 | ### TOR CONFIGURATION ### 238 | ######################### 239 | 240 | # Install packages during install 241 | pkg_add tor 242 | 243 | # Import manually created Tor onion services 244 | for i in "${tor_onion_service_dirs}"*; do 245 | if [[ -d $i ]]; then 246 | mv $i /var/tor/ 247 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 248 | chmod 0700 /var/tor/$i 249 | chmod 0600 /var/tor/$i/* 250 | echo "$i is deployed in /var/tor/" 251 | fi 252 | done 253 | 254 | # Backup Tor configuration 255 | cp /etc/tor/torrc /etc/tor/torrc-orig 256 | 257 | # Configure Tor 258 | cat <<__EOF>> /etc/tor/torrc 259 | 260 | ## Do not remove or edit DisableNetwork. This is part of the 261 | ## installation process. 262 | DisableNetwork 1 263 | 264 | ################################################ 265 | ### Customizations based on torrc from Tails ### 266 | ################################################ 267 | 268 | ## Disable all SocksPort connections 269 | #SocksPort 0 270 | 271 | ## Default SocksPort 272 | SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 273 | ## SocksPort for the MUA 274 | SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 275 | ## SocksPort for Tails-specific applications 276 | SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 277 | ## SocksPort for the default web browser 278 | SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 279 | 280 | ## Onion traffic only SocksPorts 281 | ## 282 | ## SocksPort for .onion only applications 283 | SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 284 | ## SocksPort for .onion only applications with socks authentication 285 | SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 286 | 287 | ## FIXME: ControlPort is disabled for security reasons 288 | ## 289 | ## The port on which Tor will listen for local connections from Tor 290 | ## controller applications, as documented in control-spec.txt. 291 | #ControlPort 9052 292 | #ControlListenAddress ${internal_ip} 293 | 294 | ## Torified DNS 295 | DNSPort ${internal_ip}:${tor_dnsport} 296 | AutomapHostsOnResolve 1 297 | AutomapHostsSuffixes .exit,.onion 298 | 299 | ## Transparent proxy 300 | TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 301 | ## Disabled: deprecated option 302 | #TransListenAddress ${internal_ip} 303 | 304 | ## Misc 305 | AvoidDiskWrites 1 306 | 307 | ## Disabled: deprecated option 308 | ## We don't care if applications do their own DNS lookups since our Tor 309 | ## enforcement will handle it safely. 310 | #WarnUnsafeSocks 0 311 | 312 | ## Disable default warnings on StartTLS for email. Let's not train our 313 | ## users to click through security warnings. 314 | WarnPlaintextPorts 23,109 315 | 316 | ############################ 317 | ### Local onion services ### 318 | ############################ 319 | 320 | ## Example onion service configurations 321 | ## 322 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 323 | ## a Tor onion service. Make sure you use the right port and 324 | ## IP address combination. Check the hostname file to obtain the 325 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 326 | ## 327 | ## You can only configure one onion service per HiddenServiceDir. 328 | ## If you want to run multiple onion services you need to create 329 | ## multiple HiddenServiceDirs. It is possible to forward multiple 330 | ## ports to the same .onion service. 331 | ## 332 | ## Example with two .onion services: 333 | ## 334 | ## HiddenServiceDir /var/tor/hidden_service/ 335 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 336 | ## 337 | ## HiddenServiceDir /var/tor/hidden_service_www/ 338 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 339 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 340 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 341 | ## 342 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 343 | ## authorization for an onion service. 344 | ## The authorization key and .onion address can be found in the 345 | ## hostname file. Clients need to add the authorization key to their 346 | ## local Tor torrc configuration with the 'HidServAuth' option. 347 | ## 348 | ## Example HidServAuth configuration for a Tor client: 349 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 350 | ## 351 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 352 | ## generation onion services which have better crypto and longer 353 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 354 | ## HiddenServiceVersion 3 is currently not compatible with 355 | ## HiddenServiceAuthorizeClient. 356 | 357 | ## Onion service for the SSH server on this system 358 | #HiddenServiceDir /var/tor/hidden_service/ 359 | #HiddenServicePort 22 127.0.0.1:22 360 | ## Optional client authorization for three clients 361 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 362 | ## Optional version 3 next generation .onion service 363 | #HiddenServiceVersion 3 364 | 365 | ## Onion service for the webserver on this system 366 | #HiddenServiceDir /var/tor/hidden_service_www/ 367 | #HiddenServicePort 80 127.0.0.1:80 368 | ## Optional client authorization for three clients 369 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 370 | ## Optional version 3 next generation .onion service 371 | #HiddenServiceVersion 3 372 | 373 | ## Onion service for the SSH server on ${internal_server} 374 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 375 | #HiddenServicePort 22 ${internal_server}:22 376 | ## Optional client authorization for three clients 377 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 378 | ## Optional version 3 next generation .onion service 379 | #HiddenServiceVersion 3 380 | 381 | ## Onion service for the webserver on ${internal_server} 382 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 383 | #HiddenServicePort 80 ${internal_server}:80 384 | ## Optional client authorization for three clients 385 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 386 | ## Optional version 3 next generation .onion service 387 | #HiddenServiceVersion 3 388 | 389 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 390 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 391 | #HiddenServicePort 8332 ${internal_server}:8332 392 | ## Optional client authorization for three clients 393 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 394 | ## Optional version 3 next generation .onion service 395 | #HiddenServiceVersion 3 396 | 397 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 398 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 399 | #HiddenServicePort 8333 ${internal_server}:8333 400 | ## Optional client authorization for three clients 401 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 402 | ## Optional version 3 next generation .onion service 403 | #HiddenServiceVersion 3 404 | 405 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 406 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 407 | #HiddenServicePort 18080 ${internal_server}:18080 408 | ## Optional client authorization for three clients 409 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 410 | ## Optional version 3 next generation .onion service 411 | #HiddenServiceVersion 3 412 | 413 | ## Onion service for the Monero RPC wallet service on ${internal_server} 414 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 415 | #HiddenServicePort 18081 ${internal_server}:18081 416 | ## Optional client authorization for three clients 417 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 418 | ## Optional version 3 next generation .onion service 419 | #HiddenServiceVersion 3 420 | 421 | ############################# 422 | ### Remote onion services ### 423 | ############################# 424 | 425 | ## In this section you can configure the authorization data for 426 | ## stealth onion services that are hosted on a remote location. 427 | ## Local Tor socks clients will be able to use these onion services. 428 | ## The authorization key and .onion address can be found in the 429 | ## hostname file on the remote .onion service. 430 | ## 431 | ## Example: 432 | ## HidServAuth hostname.onion authorization-key 433 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 434 | 435 | ## Remote onion service 1 436 | ## Comment: Offsite backup system 437 | #HidServAuth hostname.onion authorization-key 438 | 439 | ## Remote onion service 2 440 | ## Comment: Remote Monero system 441 | #HidServAuth hostname.onion authorization-key 442 | 443 | ## Remote onion service 3 444 | ## Comment: Remote security monitoring system 445 | #HidServAuth hostname.onion authorization-key 446 | 447 | __EOF 448 | # End of torrc configuration 449 | 450 | 451 | ####################### 452 | ### Immutable flags ### 453 | ####################### 454 | 455 | cat <<__EOF>> /etc/set-immutable-flags.sh 456 | #!/bin/sh 457 | 458 | # Set immutable flags on files and folders 459 | 460 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 461 | # immutable flags. 462 | 463 | chflags schg / 2>/dev/null 464 | 465 | chflags -R schg /altroot 2>/dev/null 466 | chflags -R schg /bin 2>/dev/null 467 | chflags -R schg /etc 2>/dev/null 468 | chflags -R schg /home 2>/dev/null 469 | chflags -R schg /mfs 2>/dev/null 470 | chflags -R schg /mnt 2>/dev/null 471 | chflags -R schg /root 2>/dev/null 472 | chflags -R schg /sbin 2>/dev/null 473 | chflags -R schg /usr 2>/dev/null 474 | 475 | chflags schg /.cshrc 2>/dev/null 476 | chflags schg /.profile 2>/dev/null 477 | chflags schg /boot 2>/dev/null 478 | chflags schg /bsd 2>/dev/null 479 | chflags schg /bsd.mp 2>/dev/null 480 | chflags schg /bsd.rd 2>/dev/null 481 | chflags schg /bsd.sp 2>/dev/null 482 | chflags schg /obsd 2>/dev/null 483 | 484 | __EOF 485 | 486 | cat <<__EOF>> /etc/unset-immutable-flags.sh 487 | #!/bin/sh 488 | 489 | # Remove immutable flags from files and folders 490 | 491 | # How to temporarily remove immutable flags, make changes to the 492 | # system and set immutable flags back again: 493 | # 494 | # kill -15 1 495 | # mount -uw / 496 | # /etc/unset-immutable-flags.sh 497 | # export TERM=vt220 498 | # 499 | # /etc/set-immutable-flags.sh 500 | # exit 501 | 502 | chflags noschg / 2>/dev/null 503 | 504 | chflags -R noschg /altroot 2>/dev/null 505 | chflags -R noschg /bin 2>/dev/null 506 | chflags -R noschg /etc 2>/dev/null 507 | chflags -R noschg /home 2>/dev/null 508 | chflags -R noschg /mfs 2>/dev/null 509 | chflags -R noschg /mnt 2>/dev/null 510 | chflags -R noschg /root 2>/dev/null 511 | chflags -R noschg /sbin 2>/dev/null 512 | chflags -R noschg /usr 2>/dev/null 513 | 514 | chflags noschg /.cshrc 2>/dev/null 515 | chflags noschg /.profile 2>/dev/null 516 | chflags noschg /boot 2>/dev/null 517 | chflags noschg /bsd 2>/dev/null 518 | chflags noschg /bsd.mp 2>/dev/null 519 | chflags noschg /bsd.rd 2>/dev/null 520 | chflags noschg /bsd.sp 2>/dev/null 521 | chflags noschg /obsd 2>/dev/null 522 | 523 | __EOF 524 | 525 | chmod 500 /etc/set-immutable-flags.sh 526 | chmod 500 /etc/unset-immutable-flags.sh 527 | 528 | 529 | ################################### 530 | ### CONFIGURE /etc/rc.firsttime ### 531 | ################################### 532 | 533 | # rc.firsttime will run once on the first normal boot 534 | 535 | cat <<'__EOF'>> /etc/rc.firsttime 536 | 537 | # Push custom cryptographic seed 2 into the kernel 538 | if [[ -f /custom-random.seed2 ]]; then 539 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 540 | rm -P /custom-random.seed2 541 | fi 542 | 543 | # Start Tor without network access and let it generate onion services 544 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 545 | 546 | # Give Tor some time to generate the .onion services 547 | sleep 10 548 | 549 | # Stop Tor 550 | /etc/rc.d/tor stop 551 | 552 | # Cleanup Tor files 553 | for i in lock state; do 554 | if [[ -f /var/tor/$i ]]; then 555 | rm -P /var/tor/$i 556 | fi 557 | done 558 | 559 | # Allow Tor to the network 560 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 561 | 562 | # Enable Tor at boot 563 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 564 | 565 | # Configure random mac address for network interfaces 566 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 567 | echo "lladdr random" >> $i 568 | done 569 | 570 | # Import firmware files 571 | if [[ -d /firmware ]]; then 572 | mv /firmware/* /etc/firmware/ 573 | chown root:bin /etc/firmware/* 574 | chmod 0644 /etc/firmware/* 575 | rm -r /firmware 576 | fi 577 | 578 | # Install missing firmware 579 | /usr/sbin/fw_update -v -p /etc/firmware/ 580 | 581 | ############################## 582 | ## SAVE CRYPTOGRAPHIC SEEDS ## 583 | ############################## 584 | 585 | # Push old seed into the kernel, create a future seed and create a 586 | # seed file for the boot-loader. 587 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 588 | chmod 600 /var/db/host.random 589 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 590 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 591 | chmod 600 /etc/random.seed 592 | 593 | 594 | ############################## 595 | ## FILESYSTEM MODIFICATIONS ## 596 | ############################## 597 | 598 | # Backup fstab 599 | cp -p /etc/fstab /etc/fstab-orig 600 | 601 | # Create /mfs directory 602 | mkdir /mfs/ 603 | 604 | # Copy /var to /mfs 605 | cp -rp /var /mfs/ || true 606 | rm -r /mfs/var/run/* || true 607 | rm -r /mfs/var/cache/* || true 608 | rm -r /mfs/var/cron/tabs/*.sock || true 609 | 610 | # Create /dev in /mfs 611 | mkdir /mfs/dev 612 | cp -p /dev/MAKEDEV /mfs/dev/ 613 | cd /mfs/dev/ && ./MAKEDEV all 614 | 615 | # Add /tmp entry to /etc/stab 616 | echo "" >> /etc/fstab 617 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 618 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 619 | 620 | # Add /var entry to /etc/stab 621 | echo "" >> /etc/fstab 622 | echo "# /var in RAM with 64MB" >> /etc/fstab 623 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 624 | 625 | # Add /mfs/dev entry to /etc/fstab 626 | echo "" >> /etc/fstab 627 | echo "# /dev in RAM" >> /etc/fstab 628 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 629 | 630 | # Set all ffs filesystems to read-only 631 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 632 | 633 | # Remove /etc/rc.firsttime.run 634 | if [[ -f /etc/rc.firsttime.run ]]; then 635 | rm /etc/rc.firsttime.run 636 | fi 637 | 638 | # Set files and folders to immutable 639 | /etc/set-immutable-flags.sh 640 | 641 | # Automatic reboot 642 | reboot 643 | 644 | __EOF 645 | 646 | # Remove archives 647 | for i in /*.tgz; do 648 | if [[ -f $i ]]; then 649 | rm -P $i 650 | fi 651 | done 652 | 653 | # Remove install.site 654 | if [[ -f /install.site ]]; then 655 | rm -P /install.site 656 | fi 657 | 658 | # Exit script 659 | exit 0 660 | -------------------------------------------------------------------------------- /templates/openbsd-gateway-tor-socks-only: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="172.16.1.1" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server in the internal network 9 | internal_network="172.16.1.0" 10 | internal_netmask="24" # 24 = 255.255.255.0 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic from ${internal_network} to ${internal_ip} 125 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_controlport} user root 131 | 132 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 133 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_default} user root 134 | 135 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 136 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_mua} user root 137 | 138 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 139 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_tails} user root 140 | 141 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 142 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_browser} user root 143 | 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 145 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion} user root 146 | 147 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 148 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion_auth} user root 149 | 150 | ############## 151 | ## REDIRECT ## 152 | ############## 153 | 154 | ## DISABLED: Use torsocks on the remote system to route traffic 155 | ## through this Tor proxy. 156 | ## 157 | ## Redirect DNS traffic from ${internal_network} to the Tor DNSPort 158 | #pass in quick on ! egress inet proto udp from ${internal_network}/${internal_netmask} to ${internal_ip} port 53 rdr-to ${internal_ip} port ${tor_dnsport} 159 | 160 | ## DISABLED: Use torsocks on the remote system to route traffic 161 | ## through this Tor proxy. 162 | ## 163 | ## Redirect all TCP traffic from ${internal_network} to the Tor TransPort 164 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to ${internal_ip} port ${tor_transport} 165 | 166 | ## EXAMPLE RULES 167 | ## 168 | ## Example rules for a stricter firewall ruleset. You need to 169 | ## disable the 'Redirect all TCP traffic from ${internal_network} to 170 | ## the Tor TransPort' rule with a '#' 171 | 172 | ## Redirect SSH traffic from ${internal_network} to the Tor TransPort 173 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to ${internal_ip} port ${tor_transport} 174 | 175 | ## Redirect MAIL traffic from ${internal_network} to the Tor TransPort 176 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to ${internal_ip} port ${tor_transport} 177 | 178 | ## Redirect HTTP(S) traffic from ${internal_network} to the Tor TransPort 179 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to ${internal_ip} port ${tor_transport} 180 | 181 | ## Redirect XMPP and IRC traffic from ${internal_network} to Tor TransPort 182 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to ${internal_ip} port ${tor_transport} 183 | 184 | ## Redirect Bitcoin traffic from ${internal_network} to the Tor TransPort 185 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to ${internal_ip} port ${tor_transport} 186 | 187 | ## Redirect Monero traffic from ${internal_network} to the Tor TransPort 188 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to ${internal_ip} port ${tor_transport} 189 | 190 | #################### 191 | ## OUTBOUND RULES ## 192 | #################### 193 | 194 | ## Allow outbound traffic from this system to DHCP 195 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 196 | 197 | ## Block all outbound traffic to RFC1918 local area network addresses 198 | block out quick on egress inet from any to 199 | 200 | ## Block all outbound traffic to other non-routable addresses 201 | block out quick on egress inet from any to 202 | 203 | ## Allow outbound traffic from Tor service 204 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 205 | 206 | ########################## 207 | ## ONION SERVICES RULES ## 208 | ########################## 209 | 210 | ## Allow outbound traffic from Tor service to the SSH port on 211 | ## onion service ${internal_server} 212 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 22 user ${tor_username} 213 | 214 | ## Allow outbound traffic from Tor service to the HTTP port on 215 | ## onion service ${internal_server} 216 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 80 user ${tor_username} 217 | 218 | ## Allow outbound traffic from Tor service to the HTTPS port on 219 | ## onion service ${internal_server} 220 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 443 user ${tor_username} 221 | 222 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 223 | ## onion service ${internal_server} 224 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8332 user ${tor_username} 225 | 226 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 227 | ## onion service ${internal_server} 228 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8333 user ${tor_username} 229 | 230 | ## Allow outbound traffic from Tor service to the Monero P2P port on 231 | ## onion service ${internal_server} 232 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18080 user ${tor_username} 233 | 234 | ## Allow outbound traffic from Tor service to the Monero RPC port on 235 | ## onion service ${internal_server} 236 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18081 user ${tor_username} 237 | 238 | __EOF 239 | # End of pf firewall configuration 240 | 241 | 242 | ######################### 243 | ### TOR CONFIGURATION ### 244 | ######################### 245 | 246 | # Install packages during install 247 | pkg_add tor 248 | 249 | # Import manually created Tor onion services 250 | for i in "${tor_onion_service_dirs}"*; do 251 | if [[ -d $i ]]; then 252 | mv $i /var/tor/ 253 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 254 | chmod 0700 /var/tor/$i 255 | chmod 0600 /var/tor/$i/* 256 | echo "$i is deployed in /var/tor/" 257 | fi 258 | done 259 | 260 | # Backup Tor configuration 261 | cp /etc/tor/torrc /etc/tor/torrc-orig 262 | 263 | # Configure Tor 264 | cat <<__EOF>> /etc/tor/torrc 265 | 266 | ## Do not remove or edit DisableNetwork. This is part of the 267 | ## installation process. 268 | DisableNetwork 1 269 | 270 | ################################################ 271 | ### Customizations based on torrc from Tails ### 272 | ################################################ 273 | 274 | ## Disable all SocksPort connections 275 | #SocksPort 0 276 | 277 | ## Default SocksPort 278 | SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 279 | ## SocksPort for the MUA 280 | SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 281 | ## SocksPort for Tails-specific applications 282 | SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 283 | ## SocksPort for the default web browser 284 | SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 285 | 286 | ## Onion traffic only SocksPorts 287 | ## 288 | ## SocksPort for .onion only applications 289 | SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 290 | ## SocksPort for .onion only applications with socks authentication 291 | SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 292 | 293 | ## FIXME: ControlPort is disabled for security reasons 294 | ## 295 | ## The port on which Tor will listen for local connections from Tor 296 | ## controller applications, as documented in control-spec.txt. 297 | #ControlPort 9052 298 | #ControlListenAddress ${internal_ip} 299 | 300 | ## DISABLED: Use torsocks on the remote system to route traffic 301 | ## through this Tor proxy. 302 | ## 303 | ## Torified DNS 304 | #DNSPort ${internal_ip}:${tor_dnsport} 305 | AutomapHostsOnResolve 1 306 | AutomapHostsSuffixes .exit,.onion 307 | 308 | ## DISABLED: Use torsocks on the remote system to route traffic 309 | ## through this Tor proxy. 310 | ## 311 | ## Transparent proxy 312 | #TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 313 | ## Disabled: deprecated option 314 | #TransListenAddress ${internal_ip} 315 | 316 | ## Misc 317 | AvoidDiskWrites 1 318 | 319 | ## Disabled: deprecated option 320 | ## We don't care if applications do their own DNS lookups since our Tor 321 | ## enforcement will handle it safely. 322 | #WarnUnsafeSocks 0 323 | 324 | ## Disable default warnings on StartTLS for email. Let's not train our 325 | ## users to click through security warnings. 326 | WarnPlaintextPorts 23,109 327 | 328 | ############################ 329 | ### Local onion services ### 330 | ############################ 331 | 332 | ## Example onion service configurations 333 | ## 334 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 335 | ## a Tor onion service. Make sure you use the right port and 336 | ## IP address combination. Check the hostname file to obtain the 337 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 338 | ## 339 | ## You can only configure one onion service per HiddenServiceDir. 340 | ## If you want to run multiple onion services you need to create 341 | ## multiple HiddenServiceDirs. It is possible to forward multiple 342 | ## ports to the same .onion service. 343 | ## 344 | ## Example with two .onion services: 345 | ## 346 | ## HiddenServiceDir /var/tor/hidden_service/ 347 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 348 | ## 349 | ## HiddenServiceDir /var/tor/hidden_service_www/ 350 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 351 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 352 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 353 | ## 354 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 355 | ## authorization for an onion service. 356 | ## The authorization key and .onion address can be found in the 357 | ## hostname file. Clients need to add the authorization key to their 358 | ## local Tor torrc configuration with the 'HidServAuth' option. 359 | ## 360 | ## Example HidServAuth configuration for a Tor client: 361 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 362 | ## 363 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 364 | ## generation onion services which have better crypto and longer 365 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 366 | ## HiddenServiceVersion 3 is currently not compatible with 367 | ## HiddenServiceAuthorizeClient. 368 | 369 | ## Onion service for the SSH server on this system 370 | #HiddenServiceDir /var/tor/hidden_service/ 371 | #HiddenServicePort 22 127.0.0.1:22 372 | ## Optional client authorization for three clients 373 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 374 | ## Optional version 3 next generation .onion service 375 | #HiddenServiceVersion 3 376 | 377 | ## Onion service for the webserver on this system 378 | #HiddenServiceDir /var/tor/hidden_service_www/ 379 | #HiddenServicePort 80 127.0.0.1:80 380 | ## Optional client authorization for three clients 381 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 382 | ## Optional version 3 next generation .onion service 383 | #HiddenServiceVersion 3 384 | 385 | ## Onion service for the SSH server on ${internal_server} 386 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 387 | #HiddenServicePort 22 ${internal_server}:22 388 | ## Optional client authorization for three clients 389 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 390 | ## Optional version 3 next generation .onion service 391 | #HiddenServiceVersion 3 392 | 393 | ## Onion service for the webserver on ${internal_server} 394 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 395 | #HiddenServicePort 80 ${internal_server}:80 396 | ## Optional client authorization for three clients 397 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 398 | ## Optional version 3 next generation .onion service 399 | #HiddenServiceVersion 3 400 | 401 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 402 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 403 | #HiddenServicePort 8332 ${internal_server}:8332 404 | ## Optional client authorization for three clients 405 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 406 | ## Optional version 3 next generation .onion service 407 | #HiddenServiceVersion 3 408 | 409 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 410 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 411 | #HiddenServicePort 8333 ${internal_server}:8333 412 | ## Optional client authorization for three clients 413 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 414 | ## Optional version 3 next generation .onion service 415 | #HiddenServiceVersion 3 416 | 417 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 418 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 419 | #HiddenServicePort 18080 ${internal_server}:18080 420 | ## Optional client authorization for three clients 421 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 422 | ## Optional version 3 next generation .onion service 423 | #HiddenServiceVersion 3 424 | 425 | ## Onion service for the Monero RPC wallet service on ${internal_server} 426 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 427 | #HiddenServicePort 18081 ${internal_server}:18081 428 | ## Optional client authorization for three clients 429 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 430 | ## Optional version 3 next generation .onion service 431 | #HiddenServiceVersion 3 432 | 433 | ############################# 434 | ### Remote onion services ### 435 | ############################# 436 | 437 | ## In this section you can configure the authorization data for 438 | ## stealth onion services that are hosted on a remote location. 439 | ## Local Tor socks clients will be able to use these onion services. 440 | ## The authorization key and .onion address can be found in the 441 | ## hostname file on the remote .onion service. 442 | ## 443 | ## Example: 444 | ## HidServAuth hostname.onion authorization-key 445 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 446 | 447 | ## Remote onion service 1 448 | ## Comment: Offsite backup system 449 | #HidServAuth hostname.onion authorization-key 450 | 451 | ## Remote onion service 2 452 | ## Comment: Remote Monero system 453 | #HidServAuth hostname.onion authorization-key 454 | 455 | ## Remote onion service 3 456 | ## Comment: Remote security monitoring system 457 | #HidServAuth hostname.onion authorization-key 458 | 459 | __EOF 460 | # End of torrc configuration 461 | 462 | 463 | ####################### 464 | ### Immutable flags ### 465 | ####################### 466 | 467 | cat <<__EOF>> /etc/set-immutable-flags.sh 468 | #!/bin/sh 469 | 470 | # Set immutable flags on files and folders 471 | 472 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 473 | # immutable flags. 474 | 475 | chflags schg / 2>/dev/null 476 | 477 | chflags -R schg /altroot 2>/dev/null 478 | chflags -R schg /bin 2>/dev/null 479 | chflags -R schg /etc 2>/dev/null 480 | chflags -R schg /home 2>/dev/null 481 | chflags -R schg /mfs 2>/dev/null 482 | chflags -R schg /mnt 2>/dev/null 483 | chflags -R schg /root 2>/dev/null 484 | chflags -R schg /sbin 2>/dev/null 485 | chflags -R schg /usr 2>/dev/null 486 | 487 | chflags schg /.cshrc 2>/dev/null 488 | chflags schg /.profile 2>/dev/null 489 | chflags schg /boot 2>/dev/null 490 | chflags schg /bsd 2>/dev/null 491 | chflags schg /bsd.mp 2>/dev/null 492 | chflags schg /bsd.rd 2>/dev/null 493 | chflags schg /bsd.sp 2>/dev/null 494 | chflags schg /obsd 2>/dev/null 495 | 496 | __EOF 497 | 498 | cat <<__EOF>> /etc/unset-immutable-flags.sh 499 | #!/bin/sh 500 | 501 | # Remove immutable flags from files and folders 502 | 503 | # How to temporarily remove immutable flags, make changes to the 504 | # system and set immutable flags back again: 505 | # 506 | # kill -15 1 507 | # mount -uw / 508 | # /etc/unset-immutable-flags.sh 509 | # export TERM=vt220 510 | # 511 | # /etc/set-immutable-flags.sh 512 | # exit 513 | 514 | chflags noschg / 2>/dev/null 515 | 516 | chflags -R noschg /altroot 2>/dev/null 517 | chflags -R noschg /bin 2>/dev/null 518 | chflags -R noschg /etc 2>/dev/null 519 | chflags -R noschg /home 2>/dev/null 520 | chflags -R noschg /mfs 2>/dev/null 521 | chflags -R noschg /mnt 2>/dev/null 522 | chflags -R noschg /root 2>/dev/null 523 | chflags -R noschg /sbin 2>/dev/null 524 | chflags -R noschg /usr 2>/dev/null 525 | 526 | chflags noschg /.cshrc 2>/dev/null 527 | chflags noschg /.profile 2>/dev/null 528 | chflags noschg /boot 2>/dev/null 529 | chflags noschg /bsd 2>/dev/null 530 | chflags noschg /bsd.mp 2>/dev/null 531 | chflags noschg /bsd.rd 2>/dev/null 532 | chflags noschg /bsd.sp 2>/dev/null 533 | chflags noschg /obsd 2>/dev/null 534 | 535 | __EOF 536 | 537 | chmod 500 /etc/set-immutable-flags.sh 538 | chmod 500 /etc/unset-immutable-flags.sh 539 | 540 | 541 | ################################### 542 | ### CONFIGURE /etc/rc.firsttime ### 543 | ################################### 544 | 545 | # rc.firsttime will run once on the first normal boot 546 | 547 | cat <<'__EOF'>> /etc/rc.firsttime 548 | 549 | # Push custom cryptographic seed 2 into the kernel 550 | if [[ -f /custom-random.seed2 ]]; then 551 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 552 | rm -P /custom-random.seed2 553 | fi 554 | 555 | # Start Tor without network access and let it generate onion services 556 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 557 | 558 | # Give Tor some time to generate the .onion services 559 | sleep 10 560 | 561 | # Stop Tor 562 | /etc/rc.d/tor stop 563 | 564 | # Cleanup Tor files 565 | for i in lock state; do 566 | if [[ -f /var/tor/$i ]]; then 567 | rm -P /var/tor/$i 568 | fi 569 | done 570 | 571 | # Allow Tor to the network 572 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 573 | 574 | # Enable Tor at boot 575 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 576 | 577 | # Configure random mac address for network interfaces 578 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 579 | echo "lladdr random" >> $i 580 | done 581 | 582 | # Import firmware files 583 | if [[ -d /firmware ]]; then 584 | mv /firmware/* /etc/firmware/ 585 | chown root:bin /etc/firmware/* 586 | chmod 0644 /etc/firmware/* 587 | rm -r /firmware 588 | fi 589 | 590 | # Install missing firmware 591 | /usr/sbin/fw_update -v -p /etc/firmware/ 592 | 593 | ############################## 594 | ## SAVE CRYPTOGRAPHIC SEEDS ## 595 | ############################## 596 | 597 | # Push old seed into the kernel, create a future seed and create a 598 | # seed file for the boot-loader. 599 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 600 | chmod 600 /var/db/host.random 601 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 602 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 603 | chmod 600 /etc/random.seed 604 | 605 | 606 | ############################## 607 | ## FILESYSTEM MODIFICATIONS ## 608 | ############################## 609 | 610 | # Backup fstab 611 | cp -p /etc/fstab /etc/fstab-orig 612 | 613 | # Create /mfs directory 614 | mkdir /mfs/ 615 | 616 | # Copy /var to /mfs 617 | cp -rp /var /mfs/ || true 618 | rm -r /mfs/var/run/* || true 619 | rm -r /mfs/var/cache/* || true 620 | rm -r /mfs/var/cron/tabs/*.sock || true 621 | 622 | # Create /dev in /mfs 623 | mkdir /mfs/dev 624 | cp -p /dev/MAKEDEV /mfs/dev/ 625 | cd /mfs/dev/ && ./MAKEDEV all 626 | 627 | # Add /tmp entry to /etc/stab 628 | echo "" >> /etc/fstab 629 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 630 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 631 | 632 | # Add /var entry to /etc/stab 633 | echo "" >> /etc/fstab 634 | echo "# /var in RAM with 64MB" >> /etc/fstab 635 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 636 | 637 | # Add /mfs/dev entry to /etc/fstab 638 | echo "" >> /etc/fstab 639 | echo "# /dev in RAM" >> /etc/fstab 640 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 641 | 642 | # Set all ffs filesystems to read-only 643 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 644 | 645 | # Remove /etc/rc.firsttime.run 646 | if [[ -f /etc/rc.firsttime.run ]]; then 647 | rm /etc/rc.firsttime.run 648 | fi 649 | 650 | # Set files and folders to immutable 651 | /etc/set-immutable-flags.sh 652 | 653 | # Automatic reboot 654 | reboot 655 | 656 | __EOF 657 | 658 | # Remove archives 659 | for i in /*.tgz; do 660 | if [[ -f $i ]]; then 661 | rm -P $i 662 | fi 663 | done 664 | 665 | # Remove install.site 666 | if [[ -f /install.site ]]; then 667 | rm -P /install.site 668 | fi 669 | 670 | # Exit script 671 | exit 0 672 | -------------------------------------------------------------------------------- /templates/openbsd-gateway-tor-transparent-only: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="172.16.1.1" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server in the internal network 9 | internal_network="172.16.1.0" 10 | internal_netmask="24" # 24 = 255.255.255.0 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic from ${internal_network} to ${internal_ip} 125 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_controlport} user root 131 | 132 | ## DISABLED: This is a transparent Tor proxy 133 | ## 134 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 135 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_default} user root 136 | 137 | ## DISABLED: This is a transparent Tor proxy 138 | ## 139 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 140 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_mua} user root 141 | 142 | ## DISABLED: This is a transparent Tor proxy 143 | ## 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 145 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_tails} user root 146 | 147 | ## DISABLED: This is a transparent Tor proxy 148 | ## 149 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 150 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_browser} user root 151 | 152 | ## DISABLED: This is a transparent Tor proxy 153 | ## 154 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 155 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion} user root 156 | 157 | ## DISABLED: This is a transparent Tor proxy 158 | ## 159 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 160 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to ${internal_ip} port ${tor_socksport_onion_auth} user root 161 | 162 | #################### 163 | ## REDIRECT RULES ## 164 | #################### 165 | 166 | ## Redirect DNS traffic from ${internal_network} to the Tor DNSPort 167 | pass in quick on ! egress inet proto udp from ${internal_network}/${internal_netmask} to ${internal_ip} port 53 rdr-to ${internal_ip} port ${tor_dnsport} 168 | 169 | ## Redirect all TCP traffic from ${internal_network} to the Tor TransPort 170 | pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to ${internal_ip} port ${tor_transport} 171 | 172 | ## EXAMPLE RULES 173 | ## 174 | ## Example rules for a stricter firewall ruleset. You need to 175 | ## disable the 'Redirect all TCP traffic from ${internal_network} to 176 | ## the Tor TransPort' rule with a '#' 177 | 178 | ## Redirect SSH traffic from ${internal_network} to the Tor TransPort 179 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to ${internal_ip} port ${tor_transport} 180 | 181 | ## Redirect MAIL traffic from ${internal_network} to the Tor TransPort 182 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to ${internal_ip} port ${tor_transport} 183 | 184 | ## Redirect HTTP(S) traffic from ${internal_network} to the Tor TransPort 185 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to ${internal_ip} port ${tor_transport} 186 | 187 | ## Redirect XMPP and IRC traffic from ${internal_network} to Tor TransPort 188 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to ${internal_ip} port ${tor_transport} 189 | 190 | ## Redirect Bitcoin traffic from ${internal_network} to the Tor TransPort 191 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to ${internal_ip} port ${tor_transport} 192 | 193 | ## Redirect Monero traffic from ${internal_network} to the Tor TransPort 194 | #pass in quick on ! egress inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to ${internal_ip} port ${tor_transport} 195 | 196 | #################### 197 | ## OUTBOUND RULES ## 198 | #################### 199 | 200 | ## Allow outbound traffic from this system to DHCP 201 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 202 | 203 | ## Block all outbound traffic to RFC1918 local area network addresses 204 | block out quick on egress inet from any to 205 | 206 | ## Block all outbound traffic to other non-routable addresses 207 | block out quick on egress inet from any to 208 | 209 | ## Allow outbound traffic from Tor service 210 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 211 | 212 | ########################## 213 | ## ONION SERVICES RULES ## 214 | ########################## 215 | 216 | ## Allow outbound traffic from Tor service to the SSH port on 217 | ## onion service ${internal_server} 218 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 22 user ${tor_username} 219 | 220 | ## Allow outbound traffic from Tor service to the HTTP port on 221 | ## onion service ${internal_server} 222 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 80 user ${tor_username} 223 | 224 | ## Allow outbound traffic from Tor service to the HTTPS port on 225 | ## onion service ${internal_server} 226 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 443 user ${tor_username} 227 | 228 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 229 | ## onion service ${internal_server} 230 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8332 user ${tor_username} 231 | 232 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 233 | ## onion service ${internal_server} 234 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 8333 user ${tor_username} 235 | 236 | ## Allow outbound traffic from Tor service to the Monero P2P port on 237 | ## onion service ${internal_server} 238 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18080 user ${tor_username} 239 | 240 | ## Allow outbound traffic from Tor service to the Monero RPC port on 241 | ## onion service ${internal_server} 242 | #pass out quick on ! egress inet proto tcp from ${internal_ip} to ${internal_server} port 18081 user ${tor_username} 243 | 244 | __EOF 245 | # End of pf firewall configuration 246 | 247 | 248 | ######################### 249 | ### TOR CONFIGURATION ### 250 | ######################### 251 | 252 | # Install packages during install 253 | pkg_add tor 254 | 255 | # Import manually created Tor onion services 256 | for i in "${tor_onion_service_dirs}"*; do 257 | if [[ -d $i ]]; then 258 | mv $i /var/tor/ 259 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 260 | chmod 0700 /var/tor/$i 261 | chmod 0600 /var/tor/$i/* 262 | echo "$i is deployed in /var/tor/" 263 | fi 264 | done 265 | 266 | # Backup Tor configuration 267 | cp /etc/tor/torrc /etc/tor/torrc-orig 268 | 269 | # Configure Tor 270 | cat <<__EOF>> /etc/tor/torrc 271 | 272 | ## Do not remove or edit DisableNetwork. This is part of the 273 | ## installation process. 274 | DisableNetwork 1 275 | 276 | ################################################ 277 | ### Customizations based on torrc from Tails ### 278 | ################################################ 279 | 280 | ## Disable all SocksPort connections 281 | SocksPort 0 282 | 283 | ## DISABLED: This is a transparent Tor proxy 284 | ## 285 | ## Default SocksPort 286 | #SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 287 | ## SocksPort for the MUA 288 | #SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 289 | ## SocksPort for Tails-specific applications 290 | #SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 291 | ## SocksPort for the default web browser 292 | #SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 293 | 294 | ## Onion traffic only SocksPorts 295 | ## 296 | ## SocksPort for .onion only applications 297 | #SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 298 | ## SocksPort for .onion only applications with socks authentication 299 | #SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 300 | 301 | ## FIXME: ControlPort is disabled for security reasons 302 | ## 303 | ## The port on which Tor will listen for local connections from Tor 304 | ## controller applications, as documented in control-spec.txt. 305 | #ControlPort 9052 306 | #ControlListenAddress ${internal_ip} 307 | 308 | ## Torified DNS 309 | DNSPort ${internal_ip}:${tor_dnsport} 310 | AutomapHostsOnResolve 1 311 | AutomapHostsSuffixes .exit,.onion 312 | 313 | ## Transparent proxy 314 | TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 315 | ## Disabled: deprecated option 316 | #TransListenAddress ${internal_ip} 317 | 318 | ## Misc 319 | AvoidDiskWrites 1 320 | 321 | ## Disabled: deprecated option 322 | ## We don't care if applications do their own DNS lookups since our Tor 323 | ## enforcement will handle it safely. 324 | #WarnUnsafeSocks 0 325 | 326 | ## Disable default warnings on StartTLS for email. Let's not train our 327 | ## users to click through security warnings. 328 | WarnPlaintextPorts 23,109 329 | 330 | ############################ 331 | ### Local onion services ### 332 | ############################ 333 | 334 | ## Example onion service configurations 335 | ## 336 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 337 | ## a Tor onion service. Make sure you use the right port and 338 | ## IP address combination. Check the hostname file to obtain the 339 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 340 | ## 341 | ## You can only configure one onion service per HiddenServiceDir. 342 | ## If you want to run multiple onion services you need to create 343 | ## multiple HiddenServiceDirs. It is possible to forward multiple 344 | ## ports to the same .onion service. 345 | ## 346 | ## Example with two .onion services: 347 | ## 348 | ## HiddenServiceDir /var/tor/hidden_service/ 349 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 350 | ## 351 | ## HiddenServiceDir /var/tor/hidden_service_www/ 352 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 353 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 354 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 355 | ## 356 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 357 | ## authorization for an onion service. 358 | ## The authorization key and .onion address can be found in the 359 | ## hostname file. Clients need to add the authorization key to their 360 | ## local Tor torrc configuration with the 'HidServAuth' option. 361 | ## 362 | ## Example HidServAuth configuration for a Tor client: 363 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 364 | ## 365 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 366 | ## generation onion services which have better crypto and longer 367 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 368 | ## HiddenServiceVersion 3 is currently not compatible with 369 | ## HiddenServiceAuthorizeClient. 370 | 371 | ## Onion service for the SSH server on this system 372 | #HiddenServiceDir /var/tor/hidden_service/ 373 | #HiddenServicePort 22 127.0.0.1:22 374 | ## Optional client authorization for three clients 375 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 376 | ## Optional version 3 next generation .onion service 377 | #HiddenServiceVersion 3 378 | 379 | ## Onion service for the webserver on this system 380 | #HiddenServiceDir /var/tor/hidden_service_www/ 381 | #HiddenServicePort 80 127.0.0.1:80 382 | ## Optional client authorization for three clients 383 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 384 | ## Optional version 3 next generation .onion service 385 | #HiddenServiceVersion 3 386 | 387 | ## Onion service for the SSH server on ${internal_server} 388 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 389 | #HiddenServicePort 22 ${internal_server}:22 390 | ## Optional client authorization for three clients 391 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 392 | ## Optional version 3 next generation .onion service 393 | #HiddenServiceVersion 3 394 | 395 | ## Onion service for the webserver on ${internal_server} 396 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 397 | #HiddenServicePort 80 ${internal_server}:80 398 | ## Optional client authorization for three clients 399 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 400 | ## Optional version 3 next generation .onion service 401 | #HiddenServiceVersion 3 402 | 403 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 404 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 405 | #HiddenServicePort 8332 ${internal_server}:8332 406 | ## Optional client authorization for three clients 407 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 408 | ## Optional version 3 next generation .onion service 409 | #HiddenServiceVersion 3 410 | 411 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 412 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 413 | #HiddenServicePort 8333 ${internal_server}:8333 414 | ## Optional client authorization for three clients 415 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 416 | ## Optional version 3 next generation .onion service 417 | #HiddenServiceVersion 3 418 | 419 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 420 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 421 | #HiddenServicePort 18080 ${internal_server}:18080 422 | ## Optional client authorization for three clients 423 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 424 | ## Optional version 3 next generation .onion service 425 | #HiddenServiceVersion 3 426 | 427 | ## Onion service for the Monero RPC wallet service on ${internal_server} 428 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 429 | #HiddenServicePort 18081 ${internal_server}:18081 430 | ## Optional client authorization for three clients 431 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 432 | ## Optional version 3 next generation .onion service 433 | #HiddenServiceVersion 3 434 | 435 | ############################# 436 | ### Remote onion services ### 437 | ############################# 438 | 439 | ## In this section you can configure the authorization data for 440 | ## stealth onion services that are hosted on a remote location. 441 | ## Local Tor socks clients will be able to use these onion services. 442 | ## The authorization key and .onion address can be found in the 443 | ## hostname file on the remote .onion service. 444 | ## 445 | ## Example: 446 | ## HidServAuth hostname.onion authorization-key 447 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 448 | 449 | ## Remote onion service 1 450 | ## Comment: Offsite backup system 451 | #HidServAuth hostname.onion authorization-key 452 | 453 | ## Remote onion service 2 454 | ## Comment: Remote Monero system 455 | #HidServAuth hostname.onion authorization-key 456 | 457 | ## Remote onion service 3 458 | ## Comment: Remote security monitoring system 459 | #HidServAuth hostname.onion authorization-key 460 | 461 | __EOF 462 | # End of torrc configuration 463 | 464 | ####################### 465 | ### Immutable flags ### 466 | ####################### 467 | 468 | cat <<__EOF>> /etc/set-immutable-flags.sh 469 | #!/bin/sh 470 | 471 | # Set immutable flags on files and folders 472 | 473 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 474 | # immutable flags. 475 | 476 | chflags schg / 2>/dev/null 477 | 478 | chflags -R schg /altroot 2>/dev/null 479 | chflags -R schg /bin 2>/dev/null 480 | chflags -R schg /etc 2>/dev/null 481 | chflags -R schg /home 2>/dev/null 482 | chflags -R schg /mfs 2>/dev/null 483 | chflags -R schg /mnt 2>/dev/null 484 | chflags -R schg /root 2>/dev/null 485 | chflags -R schg /sbin 2>/dev/null 486 | chflags -R schg /usr 2>/dev/null 487 | 488 | chflags schg /.cshrc 2>/dev/null 489 | chflags schg /.profile 2>/dev/null 490 | chflags schg /boot 2>/dev/null 491 | chflags schg /bsd 2>/dev/null 492 | chflags schg /bsd.mp 2>/dev/null 493 | chflags schg /bsd.rd 2>/dev/null 494 | chflags schg /bsd.sp 2>/dev/null 495 | chflags schg /obsd 2>/dev/null 496 | 497 | __EOF 498 | 499 | cat <<__EOF>> /etc/unset-immutable-flags.sh 500 | #!/bin/sh 501 | 502 | # Remove immutable flags from files and folders 503 | 504 | # How to temporarily remove immutable flags, make changes to the 505 | # system and set immutable flags back again: 506 | # 507 | # kill -15 1 508 | # mount -uw / 509 | # /etc/unset-immutable-flags.sh 510 | # export TERM=vt220 511 | # 512 | # /etc/set-immutable-flags.sh 513 | # exit 514 | 515 | chflags noschg / 2>/dev/null 516 | 517 | chflags -R noschg /altroot 2>/dev/null 518 | chflags -R noschg /bin 2>/dev/null 519 | chflags -R noschg /etc 2>/dev/null 520 | chflags -R noschg /home 2>/dev/null 521 | chflags -R noschg /mfs 2>/dev/null 522 | chflags -R noschg /mnt 2>/dev/null 523 | chflags -R noschg /root 2>/dev/null 524 | chflags -R noschg /sbin 2>/dev/null 525 | chflags -R noschg /usr 2>/dev/null 526 | 527 | chflags noschg /.cshrc 2>/dev/null 528 | chflags noschg /.profile 2>/dev/null 529 | chflags noschg /boot 2>/dev/null 530 | chflags noschg /bsd 2>/dev/null 531 | chflags noschg /bsd.mp 2>/dev/null 532 | chflags noschg /bsd.rd 2>/dev/null 533 | chflags noschg /bsd.sp 2>/dev/null 534 | chflags noschg /obsd 2>/dev/null 535 | 536 | __EOF 537 | 538 | chmod 500 /etc/set-immutable-flags.sh 539 | chmod 500 /etc/unset-immutable-flags.sh 540 | 541 | 542 | ################################### 543 | ### CONFIGURE /etc/rc.firsttime ### 544 | ################################### 545 | 546 | # rc.firsttime will run once on the first normal boot 547 | 548 | cat <<'__EOF'>> /etc/rc.firsttime 549 | 550 | # Push custom cryptographic seed 2 into the kernel 551 | if [[ -f /custom-random.seed2 ]]; then 552 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 553 | rm -P /custom-random.seed2 554 | fi 555 | 556 | # Start Tor without network access and let it generate onion services 557 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 558 | 559 | # Give Tor some time to generate the .onion services 560 | sleep 10 561 | 562 | # Stop Tor 563 | /etc/rc.d/tor stop 564 | 565 | # Cleanup Tor files 566 | for i in lock state; do 567 | if [[ -f /var/tor/$i ]]; then 568 | rm -P /var/tor/$i 569 | fi 570 | done 571 | 572 | # Allow Tor to the network 573 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 574 | 575 | # Enable Tor at boot 576 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 577 | 578 | # Configure random mac address for network interfaces 579 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 580 | echo "lladdr random" >> $i 581 | done 582 | 583 | # Import firmware files 584 | if [[ -d /firmware ]]; then 585 | mv /firmware/* /etc/firmware/ 586 | chown root:bin /etc/firmware/* 587 | chmod 0644 /etc/firmware/* 588 | rm -r /firmware 589 | fi 590 | 591 | # Install missing firmware 592 | /usr/sbin/fw_update -v -p /etc/firmware/ 593 | 594 | ############################## 595 | ## SAVE CRYPTOGRAPHIC SEEDS ## 596 | ############################## 597 | 598 | # Push old seed into the kernel, create a future seed and create a 599 | # seed file for the boot-loader. 600 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 601 | chmod 600 /var/db/host.random 602 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 603 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 604 | chmod 600 /etc/random.seed 605 | 606 | 607 | ############################## 608 | ## FILESYSTEM MODIFICATIONS ## 609 | ############################## 610 | 611 | # Backup fstab 612 | cp -p /etc/fstab /etc/fstab-orig 613 | 614 | # Create /mfs directory 615 | mkdir /mfs/ 616 | 617 | # Copy /var to /mfs 618 | cp -rp /var /mfs/ || true 619 | rm -r /mfs/var/run/* || true 620 | rm -r /mfs/var/cache/* || true 621 | rm -r /mfs/var/cron/tabs/*.sock || true 622 | 623 | # Create /dev in /mfs 624 | mkdir /mfs/dev 625 | cp -p /dev/MAKEDEV /mfs/dev/ 626 | cd /mfs/dev/ && ./MAKEDEV all 627 | 628 | # Add /tmp entry to /etc/stab 629 | echo "" >> /etc/fstab 630 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 631 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 632 | 633 | # Add /var entry to /etc/stab 634 | echo "" >> /etc/fstab 635 | echo "# /var in RAM with 64MB" >> /etc/fstab 636 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 637 | 638 | # Add /mfs/dev entry to /etc/fstab 639 | echo "" >> /etc/fstab 640 | echo "# /dev in RAM" >> /etc/fstab 641 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 642 | 643 | # Set all ffs filesystems to read-only 644 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 645 | 646 | # Remove /etc/rc.firsttime.run 647 | if [[ -f /etc/rc.firsttime.run ]]; then 648 | rm /etc/rc.firsttime.run 649 | fi 650 | 651 | # Set files and folders to immutable 652 | /etc/set-immutable-flags.sh 653 | 654 | # Automatic reboot 655 | reboot 656 | 657 | __EOF 658 | 659 | # Remove archives 660 | for i in /*.tgz; do 661 | if [[ -f $i ]]; then 662 | rm -P $i 663 | fi 664 | done 665 | 666 | # Remove install.site 667 | if [[ -f /install.site ]]; then 668 | rm -P /install.site 669 | fi 670 | 671 | # Exit script 672 | exit 0 673 | -------------------------------------------------------------------------------- /templates/openbsd-single-network-card-tor-socks-and-transparent: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="0.0.0.0" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server 9 | internal_network="0.0.0.0" 10 | internal_netmask="0" # 0 = All 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic 125 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_controlport} user root 131 | 132 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 133 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_default} user root 134 | 135 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 136 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_mua} user root 137 | 138 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 139 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_tails} user root 140 | 141 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 142 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_browser} user root 143 | 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 145 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion} user root 146 | 147 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 148 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion_auth} user root 149 | 150 | #################### 151 | ## REDIRECT RULES ## 152 | #################### 153 | 154 | ## Redirect DNS traffic to the Tor DNSPort 155 | pass in quick inet proto udp from ${internal_network}/${internal_netmask} to any port 53 rdr-to 127.0.0.1 port ${tor_dnsport} 156 | 157 | ## Redirect all TCP traffic to the Tor TransPort 158 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to 127.0.0.1 port ${tor_transport} 159 | 160 | ## EXAMPLE RULES 161 | ## 162 | ## Example rules for a stricter firewall ruleset. You need to 163 | ## disable the 'Redirect all TCP traffic to the Tor TransPort' rule 164 | ## with a '#' 165 | 166 | ## Redirect SSH traffic to the Tor TransPort 167 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to 127.0.0.1 port ${tor_transport} 168 | 169 | ## Redirect MAIL traffic to the Tor TransPort 170 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to 127.0.0.1 port ${tor_transport} 171 | 172 | ## Redirect HTTP(S) traffic to the Tor TransPort 173 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to 127.0.0.1 port ${tor_transport} 174 | 175 | ## Redirect XMPP and IRC traffic to Tor TransPort 176 | #pass in quick on inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to 127.0.0.1 port ${tor_transport} 177 | 178 | ## Redirect Bitcoin traffic to the Tor TransPort 179 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to 127.0.0.1 port ${tor_transport} 180 | 181 | ## Redirect Monero traffic to the Tor TransPort 182 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to 127.0.0.1 port ${tor_transport} 183 | 184 | ########################## 185 | ## ONION SERVICES RULES ## 186 | ########################## 187 | 188 | ## Allow outbound traffic from Tor service to the SSH port on 189 | ## onion service ${internal_server} 190 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 22 user ${tor_username} 191 | 192 | ## Allow outbound traffic from Tor service to the HTTP port on 193 | ## onion service ${internal_server} 194 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 80 user ${tor_username} 195 | 196 | ## Allow outbound traffic from Tor service to the HTTPS port on 197 | ## onion service ${internal_server} 198 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 443 user ${tor_username} 199 | 200 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 201 | ## onion service ${internal_server} 202 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8332 user ${tor_username} 203 | 204 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 205 | ## onion service ${internal_server} 206 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8333 user ${tor_username} 207 | 208 | ## Allow outbound traffic from Tor service to the Monero P2P port on 209 | ## onion service ${internal_server} 210 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18080 user ${tor_username} 211 | 212 | ## Allow outbound traffic from Tor service to the Monero RPC port on 213 | ## onion service ${internal_server} 214 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18081 user ${tor_username} 215 | 216 | #################### 217 | ## OUTBOUND RULES ## 218 | #################### 219 | 220 | ## Allow outbound traffic from this system to DHCP 221 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 222 | 223 | ## Block all outbound traffic to RFC1918 local area network addresses 224 | block out quick on egress inet from any to 225 | 226 | ## Block all outbound traffic to other non-routable addresses 227 | block out quick on egress inet from any to 228 | 229 | ## Allow outbound traffic from Tor service 230 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 231 | 232 | __EOF 233 | # End of pf firewall configuration 234 | 235 | 236 | ######################### 237 | ### TOR CONFIGURATION ### 238 | ######################### 239 | 240 | # Install packages during install 241 | pkg_add tor 242 | 243 | # Import manually created Tor onion services 244 | for i in "${tor_onion_service_dirs}"*; do 245 | if [[ -d $i ]]; then 246 | mv $i /var/tor/ 247 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 248 | chmod 0700 /var/tor/$i 249 | chmod 0600 /var/tor/$i/* 250 | echo "$i is deployed in /var/tor/" 251 | fi 252 | done 253 | 254 | # Backup Tor configuration 255 | cp /etc/tor/torrc /etc/tor/torrc-orig 256 | 257 | # Configure Tor 258 | cat <<__EOF>> /etc/tor/torrc 259 | 260 | ## Do not remove or edit DisableNetwork. This is part of the 261 | ## installation process. 262 | DisableNetwork 1 263 | 264 | ################################################ 265 | ### Customizations based on torrc from Tails ### 266 | ################################################ 267 | 268 | ## Disable all SocksPort connections 269 | #SocksPort 0 270 | 271 | ## Default SocksPort 272 | SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 273 | ## SocksPort for the MUA 274 | SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 275 | ## SocksPort for Tails-specific applications 276 | SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 277 | ## SocksPort for the default web browser 278 | SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 279 | 280 | ## Onion traffic only SocksPorts 281 | ## 282 | ## SocksPort for .onion only applications 283 | SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 284 | ## SocksPort for .onion only applications with socks authentication 285 | SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 286 | 287 | ## FIXME: ControlPort is disabled for security reasons 288 | ## 289 | ## The port on which Tor will listen for local connections from Tor 290 | ## controller applications, as documented in control-spec.txt. 291 | #ControlPort 9052 292 | #ControlListenAddress ${internal_ip} 293 | 294 | ## DISABLED: Use torsocks on the remote system to route traffic 295 | ## through this Tor proxy. 296 | ## 297 | ## Torified DNS 298 | DNSPort ${internal_ip}:${tor_dnsport} 299 | AutomapHostsOnResolve 1 300 | AutomapHostsSuffixes .exit,.onion 301 | 302 | ## DISABLED: Use torsocks on the remote system to route traffic 303 | ## through this Tor proxy. 304 | ## 305 | ## Transparent proxy 306 | TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 307 | ## Disabled: deprecated option 308 | #TransListenAddress ${internal_ip} 309 | 310 | ## Misc 311 | AvoidDiskWrites 1 312 | 313 | ## Disabled: deprecated option 314 | ## We don't care if applications do their own DNS lookups since our Tor 315 | ## enforcement will handle it safely. 316 | #WarnUnsafeSocks 0 317 | 318 | ## Disable default warnings on StartTLS for email. Let's not train our 319 | ## users to click through security warnings. 320 | WarnPlaintextPorts 23,109 321 | 322 | ############################ 323 | ### Local onion services ### 324 | ############################ 325 | 326 | ## Example onion service configurations 327 | ## 328 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 329 | ## a Tor onion service. Make sure you use the right port and 330 | ## IP address combination. Check the hostname file to obtain the 331 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 332 | ## 333 | ## You can only configure one onion service per HiddenServiceDir. 334 | ## If you want to run multiple onion services you need to create 335 | ## multiple HiddenServiceDirs. It is possible to forward multiple 336 | ## ports to the same .onion service. 337 | ## 338 | ## Example with two .onion services: 339 | ## 340 | ## HiddenServiceDir /var/tor/hidden_service/ 341 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 342 | ## 343 | ## HiddenServiceDir /var/tor/hidden_service_www/ 344 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 345 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 346 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 347 | ## 348 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 349 | ## authorization for an onion service. 350 | ## The authorization key and .onion address can be found in the 351 | ## hostname file. Clients need to add the authorization key to their 352 | ## local Tor torrc configuration with the 'HidServAuth' option. 353 | ## 354 | ## Example HidServAuth configuration for a Tor client: 355 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 356 | ## 357 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 358 | ## generation onion services which have better crypto and longer 359 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 360 | ## HiddenServiceVersion 3 is currently not compatible with 361 | ## HiddenServiceAuthorizeClient. 362 | 363 | ## Onion service for the SSH server on this system 364 | #HiddenServiceDir /var/tor/hidden_service/ 365 | #HiddenServicePort 22 127.0.0.1:22 366 | ## Optional client authorization for three clients 367 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 368 | ## Optional version 3 next generation .onion service 369 | #HiddenServiceVersion 3 370 | 371 | ## Onion service for the webserver on this system 372 | #HiddenServiceDir /var/tor/hidden_service_www/ 373 | #HiddenServicePort 80 127.0.0.1:80 374 | ## Optional client authorization for three clients 375 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 376 | ## Optional version 3 next generation .onion service 377 | #HiddenServiceVersion 3 378 | 379 | ## Onion service for the SSH server on ${internal_server} 380 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 381 | #HiddenServicePort 22 ${internal_server}:22 382 | ## Optional client authorization for three clients 383 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 384 | ## Optional version 3 next generation .onion service 385 | #HiddenServiceVersion 3 386 | 387 | ## Onion service for the webserver on ${internal_server} 388 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 389 | #HiddenServicePort 80 ${internal_server}:80 390 | ## Optional client authorization for three clients 391 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 392 | ## Optional version 3 next generation .onion service 393 | #HiddenServiceVersion 3 394 | 395 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 396 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 397 | #HiddenServicePort 8332 ${internal_server}:8332 398 | ## Optional client authorization for three clients 399 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 400 | ## Optional version 3 next generation .onion service 401 | #HiddenServiceVersion 3 402 | 403 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 404 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 405 | #HiddenServicePort 8333 ${internal_server}:8333 406 | ## Optional client authorization for three clients 407 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 408 | ## Optional version 3 next generation .onion service 409 | #HiddenServiceVersion 3 410 | 411 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 412 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 413 | #HiddenServicePort 18080 ${internal_server}:18080 414 | ## Optional client authorization for three clients 415 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 416 | ## Optional version 3 next generation .onion service 417 | #HiddenServiceVersion 3 418 | 419 | ## Onion service for the Monero RPC wallet service on ${internal_server} 420 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 421 | #HiddenServicePort 18081 ${internal_server}:18081 422 | ## Optional client authorization for three clients 423 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 424 | ## Optional version 3 next generation .onion service 425 | #HiddenServiceVersion 3 426 | 427 | ############################# 428 | ### Remote onion services ### 429 | ############################# 430 | 431 | ## In this section you can configure the authorization data for 432 | ## stealth onion services that are hosted on a remote location. 433 | ## Local Tor socks clients will be able to use these onion services. 434 | ## The authorization key and .onion address can be found in the 435 | ## hostname file on the remote .onion service. 436 | ## 437 | ## Example: 438 | ## HidServAuth hostname.onion authorization-key 439 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 440 | 441 | ## Remote onion service 1 442 | ## Comment: Offsite backup system 443 | #HidServAuth hostname.onion authorization-key 444 | 445 | ## Remote onion service 2 446 | ## Comment: Remote Monero system 447 | #HidServAuth hostname.onion authorization-key 448 | 449 | ## Remote onion service 3 450 | ## Comment: Remote security monitoring system 451 | #HidServAuth hostname.onion authorization-key 452 | 453 | __EOF 454 | # End of torrc configuration 455 | 456 | 457 | ####################### 458 | ### Immutable flags ### 459 | ####################### 460 | 461 | cat <<__EOF>> /etc/set-immutable-flags.sh 462 | #!/bin/sh 463 | 464 | # Set immutable flags on files and folders 465 | 466 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 467 | # immutable flags. 468 | 469 | chflags schg / 2>/dev/null 470 | 471 | chflags -R schg /altroot 2>/dev/null 472 | chflags -R schg /bin 2>/dev/null 473 | chflags -R schg /etc 2>/dev/null 474 | chflags -R schg /home 2>/dev/null 475 | chflags -R schg /mfs 2>/dev/null 476 | chflags -R schg /mnt 2>/dev/null 477 | chflags -R schg /root 2>/dev/null 478 | chflags -R schg /sbin 2>/dev/null 479 | chflags -R schg /usr 2>/dev/null 480 | 481 | chflags schg /.cshrc 2>/dev/null 482 | chflags schg /.profile 2>/dev/null 483 | chflags schg /boot 2>/dev/null 484 | chflags schg /bsd 2>/dev/null 485 | chflags schg /bsd.mp 2>/dev/null 486 | chflags schg /bsd.rd 2>/dev/null 487 | chflags schg /bsd.sp 2>/dev/null 488 | chflags schg /obsd 2>/dev/null 489 | 490 | __EOF 491 | 492 | cat <<__EOF>> /etc/unset-immutable-flags.sh 493 | #!/bin/sh 494 | 495 | # Remove immutable flags from files and folders 496 | 497 | # How to temporarily remove immutable flags, make changes to the 498 | # system and set immutable flags back again: 499 | # 500 | # kill -15 1 501 | # mount -uw / 502 | # /etc/unset-immutable-flags.sh 503 | # export TERM=vt220 504 | # 505 | # /etc/set-immutable-flags.sh 506 | # exit 507 | 508 | chflags noschg / 2>/dev/null 509 | 510 | chflags -R noschg /altroot 2>/dev/null 511 | chflags -R noschg /bin 2>/dev/null 512 | chflags -R noschg /etc 2>/dev/null 513 | chflags -R noschg /home 2>/dev/null 514 | chflags -R noschg /mfs 2>/dev/null 515 | chflags -R noschg /mnt 2>/dev/null 516 | chflags -R noschg /root 2>/dev/null 517 | chflags -R noschg /sbin 2>/dev/null 518 | chflags -R noschg /usr 2>/dev/null 519 | 520 | chflags noschg /.cshrc 2>/dev/null 521 | chflags noschg /.profile 2>/dev/null 522 | chflags noschg /boot 2>/dev/null 523 | chflags noschg /bsd 2>/dev/null 524 | chflags noschg /bsd.mp 2>/dev/null 525 | chflags noschg /bsd.rd 2>/dev/null 526 | chflags noschg /bsd.sp 2>/dev/null 527 | chflags noschg /obsd 2>/dev/null 528 | 529 | __EOF 530 | 531 | chmod 500 /etc/set-immutable-flags.sh 532 | chmod 500 /etc/unset-immutable-flags.sh 533 | 534 | 535 | ################################### 536 | ### CONFIGURE /etc/rc.firsttime ### 537 | ################################### 538 | 539 | # rc.firsttime will run once on the first normal boot 540 | 541 | cat <<'__EOF'>> /etc/rc.firsttime 542 | 543 | # Push custom cryptographic seed 2 into the kernel 544 | if [[ -f /custom-random.seed2 ]]; then 545 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 546 | rm -P /custom-random.seed2 547 | fi 548 | 549 | # Start Tor without network access and let it generate onion services 550 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 551 | 552 | # Give Tor some time to generate the .onion services 553 | sleep 10 554 | 555 | # Stop Tor 556 | /etc/rc.d/tor stop 557 | 558 | # Cleanup Tor files 559 | for i in lock state; do 560 | if [[ -f /var/tor/$i ]]; then 561 | rm -P /var/tor/$i 562 | fi 563 | done 564 | 565 | # Allow Tor to the network 566 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 567 | 568 | # Enable Tor at boot 569 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 570 | 571 | # Configure random mac address for network interfaces 572 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 573 | echo "lladdr random" >> $i 574 | done 575 | 576 | # Import firmware files 577 | if [[ -d /firmware ]]; then 578 | mv /firmware/* /etc/firmware/ 579 | chown root:bin /etc/firmware/* 580 | chmod 0644 /etc/firmware/* 581 | rm -r /firmware 582 | fi 583 | 584 | # Install missing firmware 585 | /usr/sbin/fw_update -v -p /etc/firmware/ 586 | 587 | ############################## 588 | ## SAVE CRYPTOGRAPHIC SEEDS ## 589 | ############################## 590 | 591 | # Push old seed into the kernel, create a future seed and create a 592 | # seed file for the boot-loader. 593 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 594 | chmod 600 /var/db/host.random 595 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 596 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 597 | chmod 600 /etc/random.seed 598 | 599 | 600 | ############################## 601 | ## FILESYSTEM MODIFICATIONS ## 602 | ############################## 603 | 604 | # Backup fstab 605 | cp -p /etc/fstab /etc/fstab-orig 606 | 607 | # Create /mfs directory 608 | mkdir /mfs/ 609 | 610 | # Copy /var to /mfs 611 | cp -rpcp -rp /var /mfs/ || true 612 | rm -r /mfs/var/run/* || true 613 | rm -r /mfs/var/cache/* || true 614 | rm -r /mfs/var/cron/tabs/*.sock || true 615 | 616 | # Create /dev in /mfs 617 | mkdir /mfs/dev 618 | cp -p /dev/MAKEDEV /mfs/dev/ 619 | cd /mfs/dev/ && ./MAKEDEV all 620 | 621 | # Add /tmp entry to /etc/stab 622 | echo "" >> /etc/fstab 623 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 624 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 625 | 626 | # Add /var entry to /etc/stab 627 | echo "" >> /etc/fstab 628 | echo "# /var in RAM with 64MB" >> /etc/fstab 629 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 630 | 631 | # Add /mfs/dev entry to /etc/fstab 632 | echo "" >> /etc/fstab 633 | echo "# /dev in RAM" >> /etc/fstab 634 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 635 | 636 | # Set all ffs filesystems to read-only 637 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 638 | 639 | # Remove /etc/rc.firsttime.run 640 | if [[ -f /etc/rc.firsttime.run ]]; then 641 | rm /etc/rc.firsttime.run 642 | fi 643 | 644 | # Set files and folders to immutable 645 | /etc/set-immutable-flags.sh 646 | 647 | # Automatic reboot 648 | reboot 649 | 650 | __EOF 651 | 652 | # Remove archives 653 | for i in /*.tgz; do 654 | if [[ -f $i ]]; then 655 | rm -P $i 656 | fi 657 | done 658 | 659 | # Remove install.site 660 | if [[ -f /install.site ]]; then 661 | rm -P /install.site 662 | fi 663 | 664 | # Exit script 665 | exit 0 666 | -------------------------------------------------------------------------------- /templates/openbsd-single-network-card-tor-socks-only: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="0.0.0.0" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server 9 | internal_network="0.0.0.0" 10 | internal_netmask="0" # 0 = All 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic 125 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_controlport} user root 131 | 132 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 133 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_default} user root 134 | 135 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 136 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_mua} user root 137 | 138 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 139 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_tails} user root 140 | 141 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 142 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_browser} user root 143 | 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 145 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion} user root 146 | 147 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 148 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion_auth} user root 149 | 150 | #################### 151 | ## REDIRECT RULES ## 152 | #################### 153 | 154 | ## DISABLED: Use torsocks on the remote system to route traffic 155 | ## through this Tor proxy. 156 | ## 157 | ## Redirect DNS traffic to the Tor DNSPort 158 | #pass in quick inet proto udp from ${internal_network}/${internal_netmask} to any port 53 rdr-to 127.0.0.1 port ${tor_dnsport} 159 | 160 | ## DISABLED: Use torsocks on the remote system to route traffic 161 | ## through this Tor proxy. 162 | ## 163 | ## Redirect all TCP traffic to the Tor TransPort 164 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to 127.0.0.1 port ${tor_transport} 165 | 166 | ## EXAMPLE RULES 167 | ## 168 | ## Example rules for a stricter firewall ruleset. You need to 169 | ## disable the 'Redirect all TCP traffic to the Tor TransPort' rule 170 | ## with a '#' 171 | 172 | ## Redirect SSH traffic to the Tor TransPort 173 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to 127.0.0.1 port ${tor_transport} 174 | 175 | ## Redirect MAIL traffic to the Tor TransPort 176 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to 127.0.0.1 port ${tor_transport} 177 | 178 | ## Redirect HTTP(S) traffic to the Tor TransPort 179 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to 127.0.0.1 port ${tor_transport} 180 | 181 | ## Redirect XMPP and IRC traffic to Tor TransPort 182 | #pass in quick on inet proto tcp from ${internal_network}/${internal_netmask} to any port { 5222, 5223, 6667, 6697 } rdr-to 127.0.0.1 port ${tor_transport} 183 | 184 | ## Redirect Bitcoin traffic to the Tor TransPort 185 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 8332, 8333, 18332, 18333 } rdr-to 127.0.0.1 port ${tor_transport} 186 | 187 | ## Redirect Monero traffic to the Tor TransPort 188 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 18080, 18081, 28080, 28081 } rdr-to 127.0.0.1 port ${tor_transport} 189 | 190 | ########################## 191 | ## ONION SERVICES RULES ## 192 | ########################## 193 | 194 | ## Allow outbound traffic from Tor service to the SSH port on 195 | ## onion service ${internal_server} 196 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 22 user ${tor_username} 197 | 198 | ## Allow outbound traffic from Tor service to the HTTP port on 199 | ## onion service ${internal_server} 200 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 80 user ${tor_username} 201 | 202 | ## Allow outbound traffic from Tor service to the HTTPS port on 203 | ## onion service ${internal_server} 204 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 443 user ${tor_username} 205 | 206 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 207 | ## onion service ${internal_server} 208 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8332 user ${tor_username} 209 | 210 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 211 | ## onion service ${internal_server} 212 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8333 user ${tor_username} 213 | 214 | ## Allow outbound traffic from Tor service to the Monero P2P port on 215 | ## onion service ${internal_server} 216 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18080 user ${tor_username} 217 | 218 | ## Allow outbound traffic from Tor service to the Monero RPC port on 219 | ## onion service ${internal_server} 220 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18081 user ${tor_username} 221 | 222 | #################### 223 | ## OUTBOUND RULES ## 224 | #################### 225 | 226 | ## Allow outbound traffic from this system to DHCP 227 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 228 | 229 | ## Block all outbound traffic to RFC1918 local area network addresses 230 | block out quick on egress inet from any to 231 | 232 | ## Block all outbound traffic to other non-routable addresses 233 | block out quick on egress inet from any to 234 | 235 | ## Allow outbound traffic from Tor service 236 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 237 | 238 | __EOF 239 | # End of pf firewall configuration 240 | 241 | 242 | ######################### 243 | ### TOR CONFIGURATION ### 244 | ######################### 245 | 246 | # Install packages during install 247 | pkg_add tor 248 | 249 | # Import manually created Tor onion services 250 | for i in "${tor_onion_service_dirs}"*; do 251 | if [[ -d $i ]]; then 252 | mv $i /var/tor/ 253 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 254 | chmod 0700 /var/tor/$i 255 | chmod 0600 /var/tor/$i/* 256 | echo "$i is deployed in /var/tor/" 257 | fi 258 | done 259 | 260 | # Backup Tor configuration 261 | cp /etc/tor/torrc /etc/tor/torrc-orig 262 | 263 | # Configure Tor 264 | cat <<__EOF>> /etc/tor/torrc 265 | 266 | ## Do not remove or edit DisableNetwork. This is part of the 267 | ## installation process. 268 | DisableNetwork 1 269 | 270 | ################################################ 271 | ### Customizations based on torrc from Tails ### 272 | ################################################ 273 | 274 | ## Disable all SocksPort connections 275 | #SocksPort 0 276 | 277 | ## Default SocksPort 278 | SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 279 | ## SocksPort for the MUA 280 | SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 281 | ## SocksPort for Tails-specific applications 282 | SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 283 | ## SocksPort for the default web browser 284 | SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 285 | 286 | ## Onion traffic only SocksPorts 287 | ## 288 | ## SocksPort for .onion only applications 289 | SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 290 | ## SocksPort for .onion only applications with socks authentication 291 | SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 292 | 293 | ## FIXME: ControlPort is disabled for security reasons 294 | ## 295 | ## The port on which Tor will listen for local connections from Tor 296 | ## controller applications, as documented in control-spec.txt. 297 | #ControlPort 9052 298 | #ControlListenAddress ${internal_ip} 299 | 300 | ## DISABLED: Use torsocks on the remote system to route traffic 301 | ## through this Tor proxy. 302 | ## 303 | ## Torified DNS 304 | #DNSPort ${internal_ip}:${tor_dnsport} 305 | AutomapHostsOnResolve 1 306 | AutomapHostsSuffixes .exit,.onion 307 | 308 | ## DISABLED: Use torsocks on the remote system to route traffic 309 | ## through this Tor proxy. 310 | ## 311 | ## Transparent proxy 312 | #TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 313 | ## Disabled: deprecated option 314 | #TransListenAddress ${internal_ip} 315 | 316 | ## Misc 317 | AvoidDiskWrites 1 318 | 319 | ## Disabled: deprecated option 320 | ## We don't care if applications do their own DNS lookups since our Tor 321 | ## enforcement will handle it safely. 322 | #WarnUnsafeSocks 0 323 | 324 | ## Disable default warnings on StartTLS for email. Let's not train our 325 | ## users to click through security warnings. 326 | WarnPlaintextPorts 23,109 327 | 328 | ############################ 329 | ### Local onion services ### 330 | ############################ 331 | 332 | ## Example onion service configurations 333 | ## 334 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 335 | ## a Tor onion service. Make sure you use the right port and 336 | ## IP address combination. Check the hostname file to obtain the 337 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 338 | ## 339 | ## You can only configure one onion service per HiddenServiceDir. 340 | ## If you want to run multiple onion services you need to create 341 | ## multiple HiddenServiceDirs. It is possible to forward multiple 342 | ## ports to the same .onion service. 343 | ## 344 | ## Example with two .onion services: 345 | ## 346 | ## HiddenServiceDir /var/tor/hidden_service/ 347 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 348 | ## 349 | ## HiddenServiceDir /var/tor/hidden_service_www/ 350 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 351 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 352 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 353 | ## 354 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 355 | ## authorization for an onion service. 356 | ## The authorization key and .onion address can be found in the 357 | ## hostname file. Clients need to add the authorization key to their 358 | ## local Tor torrc configuration with the 'HidServAuth' option. 359 | ## 360 | ## Example HidServAuth configuration for a Tor client: 361 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 362 | ## 363 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 364 | ## generation onion services which have better crypto and longer 365 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 366 | ## HiddenServiceVersion 3 is currently not compatible with 367 | ## HiddenServiceAuthorizeClient. 368 | 369 | ## Onion service for the SSH server on this system 370 | #HiddenServiceDir /var/tor/hidden_service/ 371 | #HiddenServicePort 22 127.0.0.1:22 372 | ## Optional client authorization for three clients 373 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 374 | ## Optional version 3 next generation .onion service 375 | #HiddenServiceVersion 3 376 | 377 | ## Onion service for the webserver on this system 378 | #HiddenServiceDir /var/tor/hidden_service_www/ 379 | #HiddenServicePort 80 127.0.0.1:80 380 | ## Optional client authorization for three clients 381 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 382 | ## Optional version 3 next generation .onion service 383 | #HiddenServiceVersion 3 384 | 385 | ## Onion service for the SSH server on ${internal_server} 386 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 387 | #HiddenServicePort 22 ${internal_server}:22 388 | ## Optional client authorization for three clients 389 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 390 | ## Optional version 3 next generation .onion service 391 | #HiddenServiceVersion 3 392 | 393 | ## Onion service for the webserver on ${internal_server} 394 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 395 | #HiddenServicePort 80 ${internal_server}:80 396 | ## Optional client authorization for three clients 397 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 398 | ## Optional version 3 next generation .onion service 399 | #HiddenServiceVersion 3 400 | 401 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 402 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 403 | #HiddenServicePort 8332 ${internal_server}:8332 404 | ## Optional client authorization for three clients 405 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 406 | ## Optional version 3 next generation .onion service 407 | #HiddenServiceVersion 3 408 | 409 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 410 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 411 | #HiddenServicePort 8333 ${internal_server}:8333 412 | ## Optional client authorization for three clients 413 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 414 | ## Optional version 3 next generation .onion service 415 | #HiddenServiceVersion 3 416 | 417 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 418 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 419 | #HiddenServicePort 18080 ${internal_server}:18080 420 | ## Optional client authorization for three clients 421 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 422 | ## Optional version 3 next generation .onion service 423 | #HiddenServiceVersion 3 424 | 425 | ## Onion service for the Monero RPC wallet service on ${internal_server} 426 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 427 | #HiddenServicePort 18081 ${internal_server}:18081 428 | ## Optional client authorization for three clients 429 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 430 | ## Optional version 3 next generation .onion service 431 | #HiddenServiceVersion 3 432 | 433 | ############################# 434 | ### Remote onion services ### 435 | ############################# 436 | 437 | ## In this section you can configure the authorization data for 438 | ## stealth onion services that are hosted on a remote location. 439 | ## Local Tor socks clients will be able to use these onion services. 440 | ## The authorization key and .onion address can be found in the 441 | ## hostname file on the remote .onion service. 442 | ## 443 | ## Example: 444 | ## HidServAuth hostname.onion authorization-key 445 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 446 | 447 | ## Remote onion service 1 448 | ## Comment: Offsite backup system 449 | #HidServAuth hostname.onion authorization-key 450 | 451 | ## Remote onion service 2 452 | ## Comment: Remote Monero system 453 | #HidServAuth hostname.onion authorization-key 454 | 455 | ## Remote onion service 3 456 | ## Comment: Remote security monitoring system 457 | #HidServAuth hostname.onion authorization-key 458 | 459 | __EOF 460 | # End of torrc configuration 461 | 462 | 463 | ####################### 464 | ### Immutable flags ### 465 | ####################### 466 | 467 | cat <<__EOF>> /etc/set-immutable-flags.sh 468 | #!/bin/sh 469 | 470 | # Set immutable flags on files and folders 471 | 472 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 473 | # immutable flags. 474 | 475 | chflags schg / 2>/dev/null 476 | 477 | chflags -R schg /altroot 2>/dev/null 478 | chflags -R schg /bin 2>/dev/null 479 | chflags -R schg /etc 2>/dev/null 480 | chflags -R schg /home 2>/dev/null 481 | chflags -R schg /mfs 2>/dev/null 482 | chflags -R schg /mnt 2>/dev/null 483 | chflags -R schg /root 2>/dev/null 484 | chflags -R schg /sbin 2>/dev/null 485 | chflags -R schg /usr 2>/dev/null 486 | 487 | chflags schg /.cshrc 2>/dev/null 488 | chflags schg /.profile 2>/dev/null 489 | chflags schg /boot 2>/dev/null 490 | chflags schg /bsd 2>/dev/null 491 | chflags schg /bsd.mp 2>/dev/null 492 | chflags schg /bsd.rd 2>/dev/null 493 | chflags schg /bsd.sp 2>/dev/null 494 | chflags schg /obsd 2>/dev/null 495 | 496 | __EOF 497 | 498 | cat <<__EOF>> /etc/unset-immutable-flags.sh 499 | #!/bin/sh 500 | 501 | # Remove immutable flags from files and folders 502 | 503 | # How to temporarily remove immutable flags, make changes to the 504 | # system and set immutable flags back again: 505 | # 506 | # kill -15 1 507 | # mount -uw / 508 | # /etc/unset-immutable-flags.sh 509 | # export TERM=vt220 510 | # 511 | # /etc/set-immutable-flags.sh 512 | # exit 513 | 514 | chflags noschg / 2>/dev/null 515 | 516 | chflags -R noschg /altroot 2>/dev/null 517 | chflags -R noschg /bin 2>/dev/null 518 | chflags -R noschg /etc 2>/dev/null 519 | chflags -R noschg /home 2>/dev/null 520 | chflags -R noschg /mfs 2>/dev/null 521 | chflags -R noschg /mnt 2>/dev/null 522 | chflags -R noschg /root 2>/dev/null 523 | chflags -R noschg /sbin 2>/dev/null 524 | chflags -R noschg /usr 2>/dev/null 525 | 526 | chflags noschg /.cshrc 2>/dev/null 527 | chflags noschg /.profile 2>/dev/null 528 | chflags noschg /boot 2>/dev/null 529 | chflags noschg /bsd 2>/dev/null 530 | chflags noschg /bsd.mp 2>/dev/null 531 | chflags noschg /bsd.rd 2>/dev/null 532 | chflags noschg /bsd.sp 2>/dev/null 533 | chflags noschg /obsd 2>/dev/null 534 | 535 | __EOF 536 | 537 | chmod 500 /etc/set-immutable-flags.sh 538 | chmod 500 /etc/unset-immutable-flags.sh 539 | 540 | 541 | ################################### 542 | ### CONFIGURE /etc/rc.firsttime ### 543 | ################################### 544 | 545 | # rc.firsttime will run once on the first normal boot 546 | 547 | cat <<'__EOF'>> /etc/rc.firsttime 548 | 549 | # Push custom cryptographic seed 2 into the kernel 550 | if [[ -f /custom-random.seed2 ]]; then 551 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 552 | rm -P /custom-random.seed2 553 | fi 554 | 555 | # Start Tor without network access and let it generate onion services 556 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 557 | 558 | # Give Tor some time to generate the .onion services 559 | sleep 10 560 | 561 | # Stop Tor 562 | /etc/rc.d/tor stop 563 | 564 | # Cleanup Tor files 565 | for i in lock state; do 566 | if [[ -f /var/tor/$i ]]; then 567 | rm -P /var/tor/$i 568 | fi 569 | done 570 | 571 | # Allow Tor to the network 572 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 573 | 574 | # Enable Tor at boot 575 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 576 | 577 | # Configure random mac address for network interfaces 578 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 579 | echo "lladdr random" >> $i 580 | done 581 | 582 | # Import firmware files 583 | if [[ -d /firmware ]]; then 584 | mv /firmware/* /etc/firmware/ 585 | chown root:bin /etc/firmware/* 586 | chmod 0644 /etc/firmware/* 587 | rm -r /firmware 588 | fi 589 | 590 | # Install missing firmware 591 | /usr/sbin/fw_update -v -p /etc/firmware/ 592 | 593 | ############################## 594 | ## SAVE CRYPTOGRAPHIC SEEDS ## 595 | ############################## 596 | 597 | # Push old seed into the kernel, create a future seed and create a 598 | # seed file for the boot-loader. 599 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 600 | chmod 600 /var/db/host.random 601 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 602 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 603 | chmod 600 /etc/random.seed 604 | 605 | 606 | ############################## 607 | ## FILESYSTEM MODIFICATIONS ## 608 | ############################## 609 | 610 | # Backup fstab 611 | cp -p /etc/fstab /etc/fstab-orig 612 | 613 | # Create /mfs directory 614 | mkdir /mfs/ 615 | 616 | # Copy /var to /mfs 617 | cp -rp /var /mfs/ || true 618 | rm -r /mfs/var/run/* || true 619 | rm -r /mfs/var/cache/* || true 620 | rm -r /mfs/var/cron/tabs/*.sock || true 621 | 622 | # Create /dev in /mfs 623 | mkdir /mfs/dev 624 | cp -p /dev/MAKEDEV /mfs/dev/ 625 | cd /mfs/dev/ && ./MAKEDEV all 626 | 627 | # Add /tmp entry to /etc/stab 628 | echo "" >> /etc/fstab 629 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 630 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 631 | 632 | # Add /var entry to /etc/stab 633 | echo "" >> /etc/fstab 634 | echo "# /var in RAM with 64MB" >> /etc/fstab 635 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 636 | 637 | # Add /mfs/dev entry to /etc/fstab 638 | echo "" >> /etc/fstab 639 | echo "# /dev in RAM" >> /etc/fstab 640 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 641 | 642 | # Set all ffs filesystems to read-only 643 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 644 | 645 | # Remove /etc/rc.firsttime.run 646 | if [[ -f /etc/rc.firsttime.run ]]; then 647 | rm /etc/rc.firsttime.run 648 | fi 649 | 650 | # Set files and folders to immutable 651 | /etc/set-immutable-flags.sh 652 | 653 | # Automatic reboot 654 | reboot 655 | 656 | __EOF 657 | 658 | # Remove archives 659 | for i in /*.tgz; do 660 | if [[ -f $i ]]; then 661 | rm -P $i 662 | fi 663 | done 664 | 665 | # Remove install.site 666 | if [[ -f /install.site ]]; then 667 | rm -P /install.site 668 | fi 669 | 670 | # Exit script 671 | exit 0 672 | -------------------------------------------------------------------------------- /templates/openbsd-single-network-card-tor-transparent-only: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | 3 | set -u 4 | set -e 5 | 6 | # Variables 7 | internal_ip="0.0.0.0" # The IP for the Tor service 8 | internal_server="172.16.1.2" # An optional server 9 | internal_network="0.0.0.0" 10 | internal_netmask="0" # 0 = All 11 | tor_controlport="9052" 12 | tor_dnsport="5353" 13 | tor_transport="9040" 14 | tor_socksport_default="9050" 15 | tor_socksport_mua="9061" 16 | tor_socksport_tails="9062" 17 | tor_socksport_browser="9150" 18 | tor_socksport_onion="9250" 19 | tor_socksport_onion_auth="9350" 20 | tor_username="_tor" 21 | tor_onion_service_dirs="/hidden_service" 22 | ## TODO: Kovri/I2P 23 | #i2p_socksport_default="" 24 | #i2p_socksport_monero="" 25 | #i2p_socksport_browser="" 26 | #i2p_username="" 27 | #i2p_service_dirs="" 28 | 29 | echo "" 30 | echo "### CUSTOM INSTALL SCRIPT ###" 31 | echo "" 32 | 33 | # Push custom cryptographic seed 1 into the kernel 34 | if [[ -f /custom-random.seed1 ]]; then 35 | dd if=/custom-random.seed1 of=/dev/random bs=65536 count=1 status=none 36 | rm -P /custom-random.seed1 37 | fi 38 | 39 | # Configure securelevel 2 on boot 40 | echo "# Configure securelevel 2 on system boot" >> /etc/rc.local 41 | echo "sysctl kern.securelevel=2" >> /etc/rc.local 42 | 43 | # Disable library reordering on boot 44 | echo "library_aslr=NO" >> /etc/rc.conf.local 45 | 46 | # Disable sshd on boot 47 | echo "sshd_flags=NO" >> /etc/rc.conf.local 48 | 49 | # Disable ntpd on boot 50 | echo "ntpd_flags=NO" >> /etc/rc.conf.local 51 | 52 | # Disable ddb.panic to prevent securelevel changes 53 | echo "# Disable ddb.panic to prevent securelevel changes" >> /etc/sysctl.conf 54 | echo "ddb.panic=0" >> /etc/sysctl.conf 55 | 56 | 57 | ################################# 58 | ### PF FIREWALL CONFIGURATION ### 59 | ################################# 60 | 61 | # Backup pf firewall configuration 62 | cp /etc/pf.conf /etc/pf.conf-orig 63 | 64 | # Configure pf firewall 65 | cat <<__EOF> /etc/pf.conf 66 | 67 | ############ 68 | ## TABLES ## 69 | ############ 70 | 71 | # RFC1918 72 | table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } 73 | 74 | # Other non-routable ip addresses 75 | table const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } 76 | 77 | ############# 78 | ## OPTIONS ## 79 | ############# 80 | 81 | ## Drop blocked packets 82 | set block-policy drop 83 | 84 | ## Allow traffic loopback interface 85 | set skip on lo 86 | 87 | ################### 88 | ## GENERAL RULES ## 89 | ################### 90 | 91 | ## Default deny policy 92 | block 93 | 94 | ## Block ipv6 traffic 95 | block quick inet6 96 | 97 | ################### 98 | ## ANTI SPOOFING ## 99 | ################### 100 | 101 | ## Antispoofing for external interface 102 | antispoof quick for egress 103 | 104 | ## Block packets with wrong source interface 105 | block in quick from urpf-failed 106 | 107 | ## Block packets with no route 108 | block in quick from no-route 109 | 110 | ########################### 111 | ## TRAFFIC NORMALIZATION ## 112 | ########################### 113 | 114 | ## Scrub all incoming packets 115 | match in all scrub (no-df max-mss 1440) 116 | 117 | ## Scrub outbound packets 118 | match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) 119 | 120 | ################### 121 | ## INBOUND RULES ## 122 | ################### 123 | 124 | ## Allow inbound SSH traffic 125 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port 22 user root 126 | 127 | ## DISABLED: Tor controlport is disabled for security reasons 128 | ## 129 | ## Allow inbound traffic to Tor ControlPort ${tor_controlport} 130 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_controlport} user root 131 | 132 | ## DISABLED: This is a transparent Tor proxy 133 | ## 134 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_default} 135 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_default} user root 136 | 137 | ## DISABLED: This is a transparent Tor proxy 138 | ## 139 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_mua} 140 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_mua} user root 141 | 142 | ## DISABLED: This is a transparent Tor proxy 143 | ## 144 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_tails} 145 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_tails} user root 146 | 147 | ## DISABLED: This is a transparent Tor proxy 148 | ## 149 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_browser} 150 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_browser} user root 151 | 152 | ## DISABLED: This is a transparent Tor proxy 153 | ## 154 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion} 155 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion} user root 156 | 157 | ## DISABLED: This is a transparent Tor proxy 158 | ## 159 | ## Allow inbound traffic to Tor SocksPort ${tor_socksport_onion_auth} 160 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to (egress) port ${tor_socksport_onion_auth} user root 161 | 162 | #################### 163 | ## REDIRECT RULES ## 164 | #################### 165 | 166 | ## Redirect DNS traffic to the Tor DNSPort 167 | pass in quick inet proto udp from ${internal_network}/${internal_netmask} to any port 53 rdr-to 127.0.0.1 port ${tor_dnsport} 168 | 169 | ## Redirect all TCP traffic to the Tor TransPort 170 | pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any rdr-to 127.0.0.1 port ${tor_transport} 171 | 172 | ## EXAMPLE RULES 173 | ## 174 | ## Example rules for a stricter firewall ruleset. You need to 175 | ## disable the 'Redirect all TCP traffic to the Tor TransPort' rule 176 | ## with a '#' 177 | 178 | ## Redirect SSH traffic to the Tor TransPort 179 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port 22 rdr-to 127.0.0.1 port ${tor_transport} 180 | 181 | ## Redirect MAIL traffic to the Tor TransPort 182 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 25, 110, 143, 587, 993, 995 } rdr-to 127.0.0.1 port ${tor_transport} 183 | 184 | ## Redirect HTTP(S) traffic to the Tor TransPort 185 | #pass in quick inet proto tcp from ${internal_network}/${internal_netmask} to any port { 80, 443 } rdr-to 127.0.0.1 port ${tor_transport} 186 | 187 | ## Redirect XMPP and IRC traffic to Tor TransPort 188 | #pass in quick on inet proto tcp ${internal_network}/${internal_netmask} any to any port { 5222, 5223, 6667, 6697 } rdr-to 127.0.0.1 port ${tor_transport} 189 | 190 | ## Redirect Bitcoin traffic to the Tor TransPort 191 | #pass in quick inet proto tcp ${internal_network}/${internal_netmask} any to any port { 8332, 8333, 18332, 18333 } rdr-to 127.0.0.1 port ${tor_transport} 192 | 193 | ## Redirect Monero traffic to the Tor TransPort 194 | #pass in quick inet proto tcp ${internal_network}/${internal_netmask} any to any port { 18080, 18081, 28080, 28081 } rdr-to 127.0.0.1 port ${tor_transport} 195 | 196 | ########################## 197 | ## ONION SERVICES RULES ## 198 | ########################## 199 | 200 | ## Allow outbound traffic from Tor service to the SSH port on 201 | ## onion service ${internal_server} 202 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 22 user ${tor_username} 203 | 204 | ## Allow outbound traffic from Tor service to the HTTP port on 205 | ## onion service ${internal_server} 206 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 80 user ${tor_username} 207 | 208 | ## Allow outbound traffic from Tor service to the HTTPS port on 209 | ## onion service ${internal_server} 210 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 443 user ${tor_username} 211 | 212 | ## Allow outbound traffic from Tor service to the Bitcoin RPC port on 213 | ## onion service ${internal_server} 214 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8332 user ${tor_username} 215 | 216 | ## Allow outbound traffic from Tor service to the Bitcoin P2P port on 217 | ## onion service ${internal_server} 218 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 8333 user ${tor_username} 219 | 220 | ## Allow outbound traffic from Tor service to the Monero P2P port on 221 | ## onion service ${internal_server} 222 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18080 user ${tor_username} 223 | 224 | ## Allow outbound traffic from Tor service to the Monero RPC port on 225 | ## onion service ${internal_server} 226 | #pass out quick on egress inet proto tcp from (egress) to ${internal_server} port 18081 user ${tor_username} 227 | 228 | #################### 229 | ## OUTBOUND RULES ## 230 | #################### 231 | 232 | ## Allow outbound traffic from this system to DHCP 233 | #pass out quick on egress proto udp from (egress) port 68 to egress:network port 67 234 | 235 | ## Block all outbound traffic to RFC1918 local area network addresses 236 | block out quick on egress inet from any to 237 | 238 | ## Block all outbound traffic to other non-routable addresses 239 | block out quick on egress inet from any to 240 | 241 | ## Allow outbound traffic from Tor service 242 | pass out quick on egress inet proto tcp from (egress) to any user ${tor_username} 243 | 244 | __EOF 245 | # End of pf firewall configuration 246 | 247 | 248 | ######################### 249 | ### TOR CONFIGURATION ### 250 | ######################### 251 | 252 | # Install packages during install 253 | pkg_add tor 254 | 255 | # Import manually created Tor onion services 256 | for i in "${tor_onion_service_dirs}"*; do 257 | if [[ -d $i ]]; then 258 | mv $i /var/tor/ 259 | chown -R "${tor_username}":"${tor_username}" /var/tor/$i 260 | chmod 0700 /var/tor/$i 261 | chmod 0600 /var/tor/$i/* 262 | echo "$i is deployed in /var/tor/" 263 | fi 264 | done 265 | 266 | # Backup Tor configuration 267 | cp /etc/tor/torrc /etc/tor/torrc-orig 268 | 269 | # Configure Tor 270 | cat <<__EOF>> /etc/tor/torrc 271 | 272 | ## Do not remove or edit DisableNetwork. This is part of the 273 | ## installation process. 274 | DisableNetwork 1 275 | 276 | ################################################ 277 | ### Customizations based on torrc from Tails ### 278 | ################################################ 279 | 280 | ## Disable all SocksPort connections 281 | SocksPort 0 282 | 283 | ## DISABLED: This is a transparent Tor proxy 284 | ## 285 | ## Default SocksPort 286 | #SocksPort ${internal_ip}:${tor_socksport_default} IsolateDestAddr IsolateDestPort 287 | ## SocksPort for the MUA 288 | #SocksPort ${internal_ip}:${tor_socksport_mua} IsolateDestAddr 289 | ## SocksPort for Tails-specific applications 290 | #SocksPort ${internal_ip}:${tor_socksport_tails} IsolateDestAddr IsolateDestPort 291 | ## SocksPort for the default web browser 292 | #SocksPort ${internal_ip}:${tor_socksport_browser} IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 293 | 294 | ## Onion traffic only SocksPorts 295 | ## 296 | ## SocksPort for .onion only applications 297 | #SocksPort ${internal_ip}:${tor_socksport_onion} OnionTrafficOnly IsolateDestAddr IsolateDestPort 298 | ## SocksPort for .onion only applications with socks authentication 299 | #SocksPort ${internal_ip}:${tor_socksport_onion_auth} OnionTrafficOnly IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth 300 | 301 | ## FIXME: ControlPort is disabled for security reasons 302 | ## 303 | ## The port on which Tor will listen for local connections from Tor 304 | ## controller applications, as documented in control-spec.txt. 305 | #ControlPort 9052 306 | #ControlListenAddress ${internal_ip} 307 | 308 | ## Torified DNS 309 | DNSPort ${internal_ip}:${tor_dnsport} 310 | AutomapHostsOnResolve 1 311 | AutomapHostsSuffixes .exit,.onion 312 | 313 | ## Transparent proxy 314 | TransPort ${internal_ip}:${tor_transport} IsolateDestAddr # Plus IsolateDestAddr 315 | ## Disabled: deprecated option 316 | #TransListenAddress ${internal_ip} 317 | 318 | ## Misc 319 | AvoidDiskWrites 1 320 | 321 | ## Disabled: deprecated option 322 | ## We don't care if applications do their own DNS lookups since our Tor 323 | ## enforcement will handle it safely. 324 | #WarnUnsafeSocks 0 325 | 326 | ## Disable default warnings on StartTLS for email. Let's not train our 327 | ## users to click through security warnings. 328 | WarnPlaintextPorts 23,109 329 | 330 | ############################ 331 | ### Local onion services ### 332 | ############################ 333 | 334 | ## Example onion service configurations 335 | ## 336 | ## Uncomment HiddenServiceDir and HiddenServicePort to enable 337 | ## a Tor onion service. Make sure you use the right port and 338 | ## IP address combination. Check the hostname file to obtain the 339 | ## .onion hostname. Example .onion hostname: 2tbi9klopsalxaqq.onion 340 | ## 341 | ## You can only configure one onion service per HiddenServiceDir. 342 | ## If you want to run multiple onion services you need to create 343 | ## multiple HiddenServiceDirs. It is possible to forward multiple 344 | ## ports to the same .onion service. 345 | ## 346 | ## Example with two .onion services: 347 | ## 348 | ## HiddenServiceDir /var/tor/hidden_service/ 349 | ## HiddenServicePort 22 127.0.0.1:22 # Single port 350 | ## 351 | ## HiddenServiceDir /var/tor/hidden_service_www/ 352 | ## HiddenServicePort 80 127.0.0.1:80 # Multiple ports 353 | ## HiddenServicePort 443 127.0.0.1:443 # Multiple ports 354 | ## HiddenServicePort XYZ 127.0.0.1:XYZ # Multiple ports 355 | ## 356 | ## Optional: Uncomment HiddenServiceAuthorizeClient to enable client 357 | ## authorization for an onion service. 358 | ## The authorization key and .onion address can be found in the 359 | ## hostname file. Clients need to add the authorization key to their 360 | ## local Tor torrc configuration with the 'HidServAuth' option. 361 | ## 362 | ## Example HidServAuth configuration for a Tor client: 363 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 364 | ## 365 | ## Optional: Uncomment HiddenServiceVersion 3 to configure next 366 | ## generation onion services which have better crypto and longer 367 | ## .onion hostnames. Requires Tor version 0.3.2.x or later. 368 | ## HiddenServiceVersion 3 is currently not compatible with 369 | ## HiddenServiceAuthorizeClient. 370 | 371 | ## Onion service for the SSH server on this system 372 | #HiddenServiceDir /var/tor/hidden_service/ 373 | #HiddenServicePort 22 127.0.0.1:22 374 | ## Optional client authorization for three clients 375 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 376 | ## Optional version 3 next generation .onion service 377 | #HiddenServiceVersion 3 378 | 379 | ## Onion service for the webserver on this system 380 | #HiddenServiceDir /var/tor/hidden_service_www/ 381 | #HiddenServicePort 80 127.0.0.1:80 382 | ## Optional client authorization for three clients 383 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 384 | ## Optional version 3 next generation .onion service 385 | #HiddenServiceVersion 3 386 | 387 | ## Onion service for the SSH server on ${internal_server} 388 | #HiddenServiceDir /var/tor/hidden_service_ssh_${internal_server}/ 389 | #HiddenServicePort 22 ${internal_server}:22 390 | ## Optional client authorization for three clients 391 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 392 | ## Optional version 3 next generation .onion service 393 | #HiddenServiceVersion 3 394 | 395 | ## Onion service for the webserver on ${internal_server} 396 | #HiddenServiceDir /var/tor/hidden_service_www_${internal_server}/ 397 | #HiddenServicePort 80 ${internal_server}:80 398 | ## Optional client authorization for three clients 399 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 400 | ## Optional version 3 next generation .onion service 401 | #HiddenServiceVersion 3 402 | 403 | ## Onion service for the Bitcoin RPC wallet service on ${internal_server} 404 | #HiddenServiceDir /var/tor/hidden_service_btc_rpc_${internal_server}/ 405 | #HiddenServicePort 8332 ${internal_server}:8332 406 | ## Optional client authorization for three clients 407 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 408 | ## Optional version 3 next generation .onion service 409 | #HiddenServiceVersion 3 410 | 411 | ## Onion service for the Bitcoin P2P blockchain sync on ${internal_server} 412 | #HiddenServiceDir /var/tor/hidden_service_btc_p2p_${internal_server}/ 413 | #HiddenServicePort 8333 ${internal_server}:8333 414 | ## Optional client authorization for three clients 415 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 416 | ## Optional version 3 next generation .onion service 417 | #HiddenServiceVersion 3 418 | 419 | ## Onion service for the Monero P2P blockchain sync on ${internal_server} 420 | #HiddenServiceDir /var/tor/hidden_service_xmr_p2p_${internal_server}/ 421 | #HiddenServicePort 18080 ${internal_server}:18080 422 | ## Optional client authorization for three clients 423 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 424 | ## Optional version 3 next generation .onion service 425 | #HiddenServiceVersion 3 426 | 427 | ## Onion service for the Monero RPC wallet service on ${internal_server} 428 | #HiddenServiceDir /var/tor/hidden_service_xmr_rpc_${internal_server}/ 429 | #HiddenServicePort 18081 ${internal_server}:18081 430 | ## Optional client authorization for three clients 431 | #HiddenServiceAuthorizeClient stealth client1,client2,client3 432 | ## Optional version 3 next generation .onion service 433 | #HiddenServiceVersion 3 434 | 435 | ############################# 436 | ### Remote onion services ### 437 | ############################# 438 | 439 | ## In this section you can configure the authorization data for 440 | ## stealth onion services that are hosted on a remote location. 441 | ## Local Tor socks clients will be able to use these onion services. 442 | ## The authorization key and .onion address can be found in the 443 | ## hostname file on the remote .onion service. 444 | ## 445 | ## Example: 446 | ## HidServAuth hostname.onion authorization-key 447 | ## HidServAuth 2tbi9klopsalxaqq.onion cB1h4uWhSRgYRIln8EAhgb 448 | 449 | ## Remote onion service 1 450 | ## Comment: Offsite backup system 451 | #HidServAuth hostname.onion authorization-key 452 | 453 | ## Remote onion service 2 454 | ## Comment: Remote Monero system 455 | #HidServAuth hostname.onion authorization-key 456 | 457 | ## Remote onion service 3 458 | ## Comment: Remote security monitoring system 459 | #HidServAuth hostname.onion authorization-key 460 | 461 | __EOF 462 | # End of torrc configuration 463 | 464 | 465 | ####################### 466 | ### Immutable flags ### 467 | ####################### 468 | 469 | cat <<__EOF>> /etc/set-immutable-flags.sh 470 | #!/bin/sh 471 | 472 | # Set immutable flags on files and folders 473 | 474 | # See /etc/unset-immutable-flags.sh to (temporarily) disable 475 | # immutable flags. 476 | 477 | chflags schg / 2>/dev/null 478 | 479 | chflags -R schg /altroot 2>/dev/null 480 | chflags -R schg /bin 2>/dev/null 481 | chflags -R schg /etc 2>/dev/null 482 | chflags -R schg /home 2>/dev/null 483 | chflags -R schg /mfs 2>/dev/null 484 | chflags -R schg /mnt 2>/dev/null 485 | chflags -R schg /root 2>/dev/null 486 | chflags -R schg /sbin 2>/dev/null 487 | chflags -R schg /usr 2>/dev/null 488 | 489 | chflags schg /.cshrc 2>/dev/null 490 | chflags schg /.profile 2>/dev/null 491 | chflags schg /boot 2>/dev/null 492 | chflags schg /bsd 2>/dev/null 493 | chflags schg /bsd.mp 2>/dev/null 494 | chflags schg /bsd.rd 2>/dev/null 495 | chflags schg /bsd.sp 2>/dev/null 496 | chflags schg /obsd 2>/dev/null 497 | 498 | __EOF 499 | 500 | cat <<__EOF>> /etc/unset-immutable-flags.sh 501 | #!/bin/sh 502 | 503 | # Remove immutable flags from files and folders 504 | 505 | # How to temporarily remove immutable flags, make changes to the 506 | # system and set immutable flags back again: 507 | # 508 | # kill -15 1 509 | # mount -uw / 510 | # /etc/unset-immutable-flags.sh 511 | # export TERM=vt220 512 | # 513 | # /etc/set-immutable-flags.sh 514 | # exit 515 | 516 | chflags noschg / 2>/dev/null 517 | 518 | chflags -R noschg /altroot 2>/dev/null 519 | chflags -R noschg /bin 2>/dev/null 520 | chflags -R noschg /etc 2>/dev/null 521 | chflags -R noschg /home 2>/dev/null 522 | chflags -R noschg /mfs 2>/dev/null 523 | chflags -R noschg /mnt 2>/dev/null 524 | chflags -R noschg /root 2>/dev/null 525 | chflags -R noschg /sbin 2>/dev/null 526 | chflags -R noschg /usr 2>/dev/null 527 | 528 | chflags noschg /.cshrc 2>/dev/null 529 | chflags noschg /.profile 2>/dev/null 530 | chflags noschg /boot 2>/dev/null 531 | chflags noschg /bsd 2>/dev/null 532 | chflags noschg /bsd.mp 2>/dev/null 533 | chflags noschg /bsd.rd 2>/dev/null 534 | chflags noschg /bsd.sp 2>/dev/null 535 | chflags noschg /obsd 2>/dev/null 536 | 537 | __EOF 538 | 539 | chmod 500 /etc/set-immutable-flags.sh 540 | chmod 500 /etc/unset-immutable-flags.sh 541 | 542 | 543 | ################################### 544 | ### CONFIGURE /etc/rc.firsttime ### 545 | ################################### 546 | 547 | # rc.firsttime will run once on the first normal boot 548 | 549 | cat <<'__EOF'>> /etc/rc.firsttime 550 | 551 | # Push custom cryptographic seed 2 into the kernel 552 | if [[ -f /custom-random.seed2 ]]; then 553 | dd if=/custom-random.seed2 of=/dev/random bs=65536 count=1 status=none 554 | rm -P /custom-random.seed2 555 | fi 556 | 557 | # Start Tor without network access and let it generate onion services 558 | grep -q 'DisableNetwork 1' /etc/tor/torrc && /etc/rc.d/tor start 559 | 560 | # Give Tor some time to generate the .onion services 561 | sleep 10 562 | 563 | # Stop Tor 564 | /etc/rc.d/tor stop 565 | 566 | # Cleanup Tor files 567 | for i in lock state; do 568 | if [[ -f /var/tor/$i ]]; then 569 | rm -P /var/tor/$i 570 | fi 571 | done 572 | 573 | # Allow Tor to the network 574 | sed -i 's/DisableNetwork 1/DisableNetwork 0/' /etc/tor/torrc 575 | 576 | # Enable Tor at boot 577 | echo "pkg_scripts=tor" >> /etc/rc.conf.local 578 | 579 | # Configure random mac address for network interfaces 580 | for i in /etc/hostname.+([[:alpha:]])+([[:digit:]]); do 581 | echo "lladdr random" >> $i 582 | done 583 | 584 | # Import firmware files 585 | if [[ -d /firmware ]]; then 586 | mv /firmware/* /etc/firmware/ 587 | chown root:bin /etc/firmware/* 588 | chmod 0644 /etc/firmware/* 589 | rm -r /firmware 590 | fi 591 | 592 | # Install missing firmware 593 | /usr/sbin/fw_update -v -p /etc/firmware/ 594 | 595 | ############################## 596 | ## SAVE CRYPTOGRAPHIC SEEDS ## 597 | ############################## 598 | 599 | # Push old seed into the kernel, create a future seed and create a 600 | # seed file for the boot-loader. 601 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 602 | chmod 600 /var/db/host.random 603 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 604 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 605 | chmod 600 /etc/random.seed 606 | 607 | 608 | ############################## 609 | ## FILESYSTEM MODIFICATIONS ## 610 | ############################## 611 | 612 | # Backup fstab 613 | cp -p /etc/fstab /etc/fstab-orig 614 | 615 | # Create /mfs directory 616 | mkdir /mfs/ 617 | 618 | # Copy /var to /mfs 619 | cp -rp /var /mfs/ || true 620 | rm -r /mfs/var/run/* || true 621 | rm -r /mfs/var/cache/* || true 622 | rm -r /mfs/var/cron/tabs/*.sock || true 623 | 624 | # Create /dev in /mfs 625 | mkdir /mfs/dev 626 | cp -p /dev/MAKEDEV /mfs/dev/ 627 | cd /mfs/dev/ && ./MAKEDEV all 628 | 629 | # Add /tmp entry to /etc/stab 630 | echo "" >> /etc/fstab 631 | echo "# /tmp in RAM with 64MB" >> /etc/fstab 632 | echo "swap /tmp mfs rw,-s64m,nodev,nosuid,noatime 0 0" >> /etc/fstab 633 | 634 | # Add /var entry to /etc/stab 635 | echo "" >> /etc/fstab 636 | echo "# /var in RAM with 64MB" >> /etc/fstab 637 | echo "swap /var mfs rw,-s64m,nodev,nosuid,noatime,-P=/mfs/var/ 0 0" >> /etc/fstab 638 | 639 | # Add /mfs/dev entry to /etc/fstab 640 | echo "" >> /etc/fstab 641 | echo "# /dev in RAM" >> /etc/fstab 642 | echo "swap /dev mfs rw,-s4m,nosuid,noexec,noatime,-P=/mfs/dev/,-i128 0 0" >> /etc/fstab 643 | 644 | # Set all ffs filesystems to read-only 645 | sed -i 's/ffs rw/ffs ro/' /etc/fstab 646 | 647 | # Remove /etc/rc.firsttime.run 648 | if [[ -f /etc/rc.firsttime.run ]]; then 649 | rm /etc/rc.firsttime.run 650 | fi 651 | 652 | # Set files and folders to immutable 653 | /etc/set-immutable-flags.sh 654 | 655 | # Automatic reboot 656 | reboot 657 | 658 | __EOF 659 | 660 | # Remove archives 661 | for i in /*.tgz; do 662 | if [[ -f $i ]]; then 663 | rm -P $i 664 | fi 665 | done 666 | 667 | # Remove install.site 668 | if [[ -f /install.site ]]; then 669 | rm -P /install.site 670 | fi 671 | 672 | # Exit script 673 | exit 0 674 | --------------------------------------------------------------------------------