My goal is to minimize network exposure that I mine Zcash. I'm posting here because it is more important to me that I help other people do this. I've been spending the day trying to get this to work on a new install of Debian 8.6, but there is more going on "under the hood" than I know how to control. Below is a partial configuration, but I need assistance.
This is the initial update and then the install of Tor and Uncomplicated Firewall:
$ sudo apt-get update && sudo apt-get install tor apt-transport-tor ufw
Add these rules to allow incoming ssh and only allow outbound ssh, DNS, and Tor. It will prevent most non-Tor (80/443) leaks, mainly targeting things like "git clone", "wget", and further "apt-get" app disclosures:
$ sudo ufw limit 22/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose
Use only these apt sources and torify them (per onion.debian.org):
$ sudo vim /etc/apt/sources.list
deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
Now install the Zcash dependencies:
$ sudo apt-get install build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip git python zlib1g-dev wget bsdmainutils automake
$ sudo vim /etc/tor/torrc
Log notice file /var/log/tor/notices.log
HiddenServicePort 22 127.0.0.1:22
Clone Zcash from Github using Tor:
$ torsocks git clone https://github.com/zcash/zcash.git
$ cd zcash/
$ git checkout v1.0.0-beta2
Edit one line in the shell script to wget using Tor:
$ vim ./zcutil/fetch-params.sh
torsocks wget \
This is where I get stuck. With my UFW rules, this fails. I can't determine where there is further external communication / downloading. If I disable my outbound rules then the compile works fine.
$ ./zcutil/build.sh -j$(nproc)
I also saw that @ageis has posted "addnode=zctestseie6wxgio.onion", but i'm not yet sure where that will go.
Overall, I am surprised that Zcash has not yet documented this. This type of config is critical info, especially right at the beginning of it going live and having spent so much time in beta.