fix(privacy): install Tor-egress firewall before containers start — close startup window (#276)#277
Merged
Merged
Conversation
… startup window) The firewall was installed *after* `docker compose up`, leaving a brief startup window in which a clearnet-only app (Tari, #271) opens connections that the ESTABLISHED,RELATED rule then grandfathers past the DROP — observed live as Tari holding 2-3 public peers after a fresh `up`. Move the install ahead of compose so no container ever dials before the rules are in place, and pre-create DOCKER-USER (idempotent) so the pre-compose install also works on a first-ever `up`. DOCKER-USER is a static chain Docker preserves across network (re)creation, so rules referencing the fixed subnet/Tor IP can be installed before the network exists; Docker adds the FORWARD jump when it creates the network. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #276. Follow-up hardening to #270 (#275), found during live validation on the gouda e2e bench.
Problem
#270 installed the Tor-egress firewall after
docker compose up. Containers dial immediately, so a connection a clearnet-only app opens in the window before the rules land is matched by the leadingESTABLISHED,RELATED -j ACCEPTrule and grandfathered past the DROP.Reproduced live: a fresh
pithead upwith the firewall enabled left Tari (#271, the only clearnet app) holding 2–3 DIRECT PUBLIC peers, andbench-verify-egress.sh tor→ FAIL. Restarting just Tari (re-dial under the present rules) → 0 public, proving the rules work for new connections and the residue is purely install ordering.Fix (
pitheadonly — no image rebuild)apply_tor_egress_firewallbeforecompose_up_checkedinstack_up, so no container dials before the rules exist.DOCKER-USER(iptables -N … || true) so the pre-compose install also succeeds on a first-everup(where Docker hasn't created the chain yet).DOCKER-USERis a static chain Docker preserves across network (re)creation and re-jumps fromFORWARDwhen it builds the network, so rules referencing the fixed subnet/Tor IP are safe to install early.Validation (gouda, live)
Tor-only egress enforcedbeforeStack started successfully!.pithead up→ Tari 0 public peers at t+0 and t+25s (was 2–3); DROP counter climbs from the start.bench-verify-egress.sh tor→ first fully clean all-Tor PASS: monerod ✓ p2pool ✓ tari ✓ xmrig ✓.down/upfirewall lifecycle clean (rules 7→0→7); feat(privacy): enforce Tor-only egress fail-closed via a host firewall (#270) #275set -efix holds.tests/stack/run.sh: 378 passed, 0 failed (adds apre-creates the DOCKER-USER chainassertion).🤖 Generated with Claude Code