{{Title|title=Install Additional Software Safely}}
{{Header}}
{{#seo:
|description=Installing additional Software on {{project_name_long}}. Safety considerations.
|image=Software-871026-640.jpg
}}
[[File:Software-871026-640.jpg|400px|thumb]]
{{intro|
Installing additional Software on {{project_name_short}}. Safety considerations.
}}
== General Advice ==

{{project_name_short}} users are free to install their favorite software packages.

Almost any application can be installed, with a few exceptions for programs that are [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#Howtotorifyspecificprograms impossible to torify]. In addition, {{project_name_short}} provides:

* protection from IP and DNS leaks (see above for details)
* partial protection against [[Protocol-Leak-Protection and Fingerprinting-Protection|protocol leaks and fingerprinting]], but this is far from perfect

Users are responsible for trying to prevent any other [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#protocol-leaks protocol leaks] using the [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO "Torify: How-to" guide], but most of those are mitigated by {{project_name_short}}.

* Read the [[Protocol-Leak-Protection and Fingerprinting-Protection|protocol leak and fingerprinting protection]] entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to {{project_name_short}}.
* Refer to the Tor Project's [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO Torify: How-to] which discusses various [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#protocol-leaks protocol leaks] and how to mitigate them.
* Review the Tor Project's [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxyLeaks Transparent Proxy Leaks] documentation, which is particularly relevant for users other [[Other Operating Systems|custom workstations]] using Microsoft Windows.

Since {{project_name_short}} is a Debian derivative, new users should always [https://wiki.debian.org/DontBreakDebian follow Debian advice] when installing or removing packages to avoid common mistakes which can break or destabilize the system.

The user should be aware that additional software increases the [https://en.wikipedia.org/wiki/Attack_surface attack surface] of the platform.

== Browsers ==
{{Other_Browsers}}

= {{project_name_workstation_short}} is Firewalled =
{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = '''Note:''' This section is relevant to server software or other advanced / uncommon applications.
}}

The {{project_name_gateway_long}} firewall <ref>The firewall is found on {{project_name_gateway_long}}: <i>{{W_Firewall}}</i></ref> has several effects upon {{project_name_workstation_short}}.

'''Table:''' ''{{project_name_gateway_short}} Firewall Effects''

{| class="wikitable"
|-

! scope="col"| '''Category'''
! scope="col"| '''Notes'''
|-

! scope="row"| Additional Firewall Restrictions
| The firewall on {{project_name_gateway_short}} is very restrictive. It can be made even more restrictive by activating options within the firewall script. <ref>
<pre>
         ## Optionally restrict TransPort.
         ## Replace above rule with a more restrictive one, e.g.:
         #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
</pre>
</ref> It is possible to limit which outgoing ports are redirected to Tor's <code>TransPort</code>. Depending on user intentions, it could also be useful to remove all <code>SocksPort</code>s.
|-

! scope="row"| DNS Requests
| Standard DNS requests on UDP port <code>53</code> are redirected to Tor's <code>DnsPort</code>. <ref>If the DNS server is changed in {{project_name_workstation_short}} <i>/etc/resolv.conf</i>, this will likely have no effect. The reason is the firewall on {{project_name_gateway_short}} will redirect all those requests to Tor's <code>DnsPort</code>. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the [[Alternative_DNS_Resolver|secondary DNS resolver instructions]].</ref>
|-

! scope="row"| Incoming Connections
|
* Incoming connections are not supported.
* If programs make outgoing connections, then incoming connections are accepted for web browsing, IRC, or other relevant applications.
* Server [[Ports|ports]] ("open ports") are blocked.
* Unless explicitly configured, the Ident Protocol / web server listening port is not reachable.
|-

! scope="row"| IPv6
| Tor only [https://gitlab.torproject.org/legacy/trac/-/wikis/org/roadmaps/Tor/IPv6Features partially supports IPv6], although full implementation is likely in the near term. <ref>
The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: [https://gitlab.torproject.org/legacy/trac/-/wikis/org/roadmaps/Tor/IPv6 IPv6 roadmap].
</ref> This is not a {{project_name_short}}-specific issue. <ref>
* [[Dev/ipv6]]
* https://forums.whonix.org/t/port-to-nftables-as-a-replacement-for-iptables/18896
</ref>
|-

! scope="row"| Server Services
| [[Onion Services]] and/or [[Hosting_Location_Hidden_Services|Location Hidden Services]] can be hosted.
|-

! scope="row"| Tor Routing
| {{TorifiedGateway}} Refer to the footnotes for further information.
|-

! scope="row"| UDP
| [[Tor#UDP|Tor does not support UDP]]. This is not a {{project_name_short}}-specific issue.
|-

|}

Related topics:

* [[{{project_name_gateway_short}}_Firewall|{{project_name_gateway_short}} Firewall]]
* [[{{project_name_workstation_short}}_Firewall|{{project_name_workstation_short}} Firewall]]
* [[Ports]]

= Install Software General =

{{upstream_wiki}}

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]