[tor-talk] orWall 1.0.0 released!

Mike Perry mikeperry at torproject.org
Fri Oct 3 22:27:06 UTC 2014 

CJ:
> Hello!
> 
> just a small update regarding orWall: it's released 1.0.0!
> There's still *one* annoying issue regarding the tethering, but it
> should be OK next week. Just have to take some time in order to debug
> this for good.
> 
> orWall provides now a brand new UI in order to be easier to handle.
> There's also an integrated help (as a first-start wizard we might call
> later on).
> There are many new features and improvements, like:
> 
> - ability to disable all rules and let the device access freely the Net
> - for each app, the possibility to access some advanced settings
> allowing to bypass Tor, or tell orWall the app knows about proxies or Tor
> - better management for the init-script
> - better management for iptables rules
> - translations in French, German and Italian are almost done

Hey CJ, just wanted to let you know that I've tried OrWall and it's a
huge improvement! Way better user experience on just about every front!

I also have not detected any leaks on my upstream router, either.

When I get a chance, I will update the original blog post to recommend
OrWall instead of my crazy Droidwall hack scripts.
 
> Any feedback from Tor/Orbot users interest me in order to improve
> orWall. I think the current release is pretty good, but as the main dev
> I'm maybe not that neutral regarding this statement ;).

The one thing is that I find the long-press options for "Connectype
type" confusing: 

 - "Force connection" to what? I assume through Tor's transproxy because
    of the REDIRECT text, but this will not be clear to users who are
    unfamiliar with iptables.
    How about: "Redirect all network activity"

 - What does "native capacity"/"fenced path" mean? Does that mean only
   access to the local SOCKS/HTTP proxy ports in Tor's case?
   How about: "Only allow local proxy port access"

These are complicated ideas to convey, though. I'm not sure my
suggestions are the best ones either.


I also suggest soliciting input about the DNS issue we discussed where
DNS queries are done by root on Android 4.3+ unless the
'ANDROID_DNS_MODE=local' environment variable is set. Perhaps someone
will come up with a clever hack to set this env var in a persistent way
that we haven't thought of, or find some way to write a shim on the DNS
resolution filesystem socket to enforce what we want.

You could list this on a known issues or FAQ page, or in your bugtracker
I guess. Making root/UID 0 handle DNS is also a security risk, and I'm
very surprised the Android team thought this was a good idea. :/


Also looking forward to the "Logs" window doing something :)



-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141003/e31188d2/attachment.sig>

More information about the tor-talk mailing list