Wyllys Ingersoll wrote: > Tony Nguyen wrote: >> >> Wyllys, >> >> With the integration of 2008/580 Solaris host-based firewall, the new >> tor service, with some small changes, can provide fine-grained access >> control to its service and be consistent with existing services. Since >> tor defines listening ports in a configuration file, similar to ssh, >> you can see network/ssh for example. I'm happy to work with you >> offline to figure this out. > > Tor listens on either 1 or 2 ports, 9001/tcp + (optionally) a SOCKS port > (9050/tcp by default). In relay-mode, it just then routes the data onto > the next Tor node somewhere out on the internet. > > It can be allowed to be an "exit" point, which means > that the Tor relay will route the connection to its proper endpoint > (website, IRC server, etc) instead of another Tor node, but the "exit > policy" is defined in the torrc config file. > > The exit policy statement in the torrc config file determines > the services that Tor may connect to. If the host firewall blocks > the ports before they get to Tor, then the users are simply told > that those destinations are down. This is from the torrc.sample > file regarding exit policy configuration: > > ... > ## If certain IPs and ports are blocked externally, e.g. by your firewall, > ## you should update your exit policy to reflect this -- otherwise Tor > ## users will be told that those destinations are down. > ## > #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more > #ExitPolicy accept *:119 # accept nntp as well as default exit policy > #ExitPolicy reject *:* # no exits allowed > ... > > > Are you suggesting just adding some firewall_context properties to the > smf profile similar to ssh? That sounds reasonable if you think it makes > sense here. I would prefer to NOT modify any of the actual Tor code > as that makes it harder to resync later. >
Agree, I'm not suggesting changes to Tor code. Yes, similar to ssh security/tor would need to: - define firewall_context and firewall_config property groups - add some code in its method script to get the port numbers from the config file and ask the framework to apply configured policy to those ports (see create_ipf_rule() in /lib/svc/method/sshd) > >> Services with no explicit firewall configuration, by default, will >> inherit the global firewall policy which may not always be the desired >> behavior. > > If the global firewall policy is to block ports that Tor would either be > listening > to or talking to, then Tor would just report that to the remote user as an > error or an unavailable service. Correct, that's a reasonable behavior. On the other hand, there are cases where services would want policy different from the default policy. -tony