path: root/wiki/src/contribute/design/Tor_enforcement
diff options
authorTails developers <>2014-12-03 13:01:52 +0100
committerTails developers <>2014-12-03 13:01:52 +0100
commit1138ffbed4936969f0068ad29aeefb7b1bcb7697 (patch)
tree0c5e2a39fb2863125984321a8f4e0c717e3d1644 /wiki/src/contribute/design/Tor_enforcement
parent56c42191c0620c45c7659cce16b564467bb80759 (diff)
parent7999371f600097af34fe489d80a8eb253fe5778c (diff)
Merge into doc/projectdoc/projectdoc/7536-project
Diffstat (limited to 'wiki/src/contribute/design/Tor_enforcement')
1 files changed, 13 insertions, 5 deletions
diff --git a/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn b/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn
index a7aeaff..33c4226 100644
--- a/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn
+++ b/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn
@@ -2,7 +2,7 @@ One serious security issue is that we don't know what software will
attempt to contact the network and whether their proxy settings are
set up to use the Tor SOCKS proxy or polipo HTTP(s) proxy correctly.
This is solved by blocking all outbound Internet traffic except Tor
-and I2P, and explicitly configure all applications to use either of
+(and I2P when enabled), and explicitly configure all applications to use either of
- [[!tails_gitweb config/chroot_local-includes/etc/ferm/ferm.conf]]
@@ -20,16 +20,17 @@ connections originating from the `debian-tor` Unix user.
#### I2P
-[I2P]( (*Invisible Internet Project*) is
+[I2P]( (*Invisible Internet Project*) is
yet another anonymizing network
(load-balanced unspoofable packet switching network) that provides
access to eepsites (.i2p tld); eepsites are a bit like Tor hidden
services. Some users would like to be able to access eepsites from
-Like the `debian-tor` user, the `i2p` user is allowed to connect
-*directly* to the Internet. See [[the design document dedicated to
-Tails use of I2P|I2P]] for details.
+Like the `debian-tor` user, the `i2psvc` user is allowed to connect
+*directly* to the Internet. Any rules granting the `i2psvc`user access are only
+applied if the user explicitly enables I2P at the boot prompt. See
+[[the design document dedicated to Tails use of I2P|I2P]] for details.
#### Unsafe Browser and the `clearnet` user
@@ -37,6 +38,13 @@ The `clearnet` user used to run the
[[contribute/design/Unsafe_Browser]] is granted full network access
(but no loopback access) in order to deal with captive portals.
+#### I2P Browser and the `i2pbrowser` user
+The [[contribute/design/I2P_Browser]] is run by the `i2pbrowser` user. This
+account is granted access to ports 4444, 7657, and 7658 on the loopback device *if*
+I2P is enabled at the boot prompt. Sites outside of I2P cannot be reached by
+the `i2pbrowser` user.
#### Local Area Network (LAN)
Tails short description talks of sending through Tor *outgoing