> > Agree, I'm not suggesting changes to Tor code. > > Yes, similar to ssh security/tor would need to: > > - define firewall_context and firewall_config property groups > - add some code in its method script to get the port numbers from the > config file and ask the framework to apply configured policy to those > ports (see create_ipf_rule() in /lib/svc/method/sshd)
Yes, I took a look at that a little while ago, it should be no problem to do something similar for Tor, at least for the listening ports. >>> Services with no explicit firewall configuration, by default, will >>> inherit the global firewall policy which may not always be the >>> desired behavior. >> >> If the global firewall policy is to block ports that Tor would either >> be listening >> to or talking to, then Tor would just report that to the remote user >> as an >> error or an unavailable service. > > Correct, that's a reasonable behavior. On the other hand, there are > cases where services would want policy different from the default policy. OK.
