-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings list,
Some of you might know me as the new maintainer of the Incognito LiveCD (blatant advertising: http://incognito.anonymityanywhere.com). Any way, it uses a kernel level network filter (with Linux' netfilter/iptables) which forwards all TCP traffic not sent directly through Tor to the transparent Tor proxy that bundles with Tor (altough it is not activated in the standard config). With this we don't need to configure applications to explicitly use Tor which is nice as we have no idea what our users intend to do. However, I recently discovered that netstat will report these forwarded TCP connections with the destination address as the "foreign" remote host! netstat also reports that connections are made through Tor, but still that one connection is made directly to the destination host. So, for example, if I run "ssh desthost" where desthost is the destination SSH server, netstat will output something like this (ignoring connections to Tor nodes): Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:36762 desthost:ssh ESTABLISHED If I instead configure the SSH client to use Tor's SOCKS interface explicitly or run "torify ssh desthost" etc. netstat gives this: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:36762 localhost:9050 ESTABLISHED Or, in other words, Tor is used (it listens on 9050) and all is well. Naturally, this made me concerned to say the least since transparent connection forwarding is an essential feature of Incognito. So I fired up a packet sniffer to investigate if this relly was the case. Fortunately, I couldn't find desthost's IP address in any packet, only alot of communication with Tor nodes. So Tor is used and netstat is just "wrong". Phew! Now, with this background information in mind I can go on to my actual questions for those of you who have managed to read all this (sorry for being so verbose): Why does this happen? Is netstat operating on a too high level to detect this kernel level magic? Even though we still get as much anonymity as Tor offers and netstat is wrong in some way I really do not want this to happen. Incognito uses TorK as a control GUI to Tor, and since its "Non-Tor traffic log" uses netstat and thus will log these erroneous connections, users might freak out and think that Incognito is unsafe. In fact, that was what happened to me. Can this be fixed? Perhaps this should be taken with the net-tools devs direcly, as it _might_ be a bug (or undesirable feature), but I thought I should ask you guys first as some here might have experience with this combination of configurations and software. So, any thoughts? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHSI5mp8EswdDmSVgRApziAJ0WnoDV6pX7auMfbo2HXAUFuACuAACZAZ0E f5J5Y/upHUj1wJG2eIyGNbw= =KpBV -----END PGP SIGNATURE-----