On Fri, Aug 22, 2014 at 8:45 AM, Petter Reinholdtsen <p...@hungry.com> wrote: > [James Valleroy] >> One of the current TODO items for the 0.3 release is to add a "Route >> all Traffic through Tor" option to Plinth [1]. I've added the >> necessary configuration on the Tor side in freedombox-setup [2]: >> >> VirtualAddrNetworkIPv4 10.192.0.0/10 >> AutomapHostsOnResolve 1 >> TransPort 127.0.0.1:9040 >> DNSPort 127.0.0.1:53 >> >> What we still need is a Plinth action to configure the firewall, to >> route all traffic through the above ports. The Tor docs have >> configuration examples for iptables [3], so we will need to do >> something similar with firewalld. > > I would love to see this in place. > > But how will this affect UDP and ICMP (for example NTP and ping). > Will those stop working when all traffic is routed through Tor? > Should it? > > How will the Tor setup to listen to port 53 work with the already > existing dnsmasq DNS server also trying the same? Which one get the > port? Do they share it...
I did some testing using the "Local Redirection and Anonymizing Middlebox" iptables configuration from the Tor docs. Both UDP and ping stop working. NTP still seems to work though (at least ntp.test passed). Perhaps we could have a "normal" setting that allows outgoing UDP/ICMP, and a "paranoid" setting that blocks it? Yes, it looks like dnsmasq and Tor are sharing port 53 (but bound to different IPs). # netstat -apen | grep ":53 " tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 7829 742/dnsmasq tcp6 0 0 :::53 :::* LISTEN 0 7831 742/dnsmasq udp 0 0 192.168.10.113:53 0.0.0.0:* 0 325610 8180/tor udp 0 0 127.0.0.1:53 0.0.0.0:* 0 325609 8180/tor udp 0 0 0.0.0.0:53 0.0.0.0:* 0 7828 742/dnsmasq udp6 0 0 :::53 :::* 0 7830 742/dnsmasq _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss