Re: Yet another UDP / DNS quiestion...

[Tomasz Moskal]

 Yes if you redirect DNS requests to Tor's DNSPort you should be safe
 against DNS leaks.

Do I have to use AutomapHostsOnResolve 1 as well? Seems to be pointless
without defining AutomapHostsSuffixes.

 I guess you are talking about a local setup without a middlebox
 involved. If my assumption is correct you want to refer to the
following
 section in the document:

https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor
 

Thanks for clarifying that! Now I need to read some more about iptables.
One more question: will those rules route all UDP traffic to port 53 or
just DNS requests? What will happen with UDP not relating to DNS?

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82





signature.asc
Description: This is a digitally signed message part

Excluding exit nodes

[Tomasz Moskal]

From the Tor Project FAQ
https://www.torproject.org/docs/faq#ChooseEntryExit:

We recommend you do not use these — they are intended for testing and
may disappear in future versions. You get the best security that Tor can
provide when you leave the route selection to Tor; overriding the
entry / exit nodes can mess up your anonymity in ways we don't
understand.

Now, it's a little bit confusing for a novice, let me explain why.
People both on this mailing list and else where on the Internet are
often referring to excluding bad/evil exit nodes (I'm aware that it's
a bit ambiguous concept) and yet there is this entry in Tor Project FAQ.
So how someone like me, a newcomer to Tor, Linux and networking, should
know which exit nodes are suspicious? I came across this website
http://torstatus.blutmagie.de/index.php which flags couple of nodes as
Bad Exit - should I exclude them? How reliable information on this
website are? Is there any authoritative list of suspicious exit nodes?

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82




signature.asc
Description: This is a digitally signed message part

Re: Excluding exit nodes

[Tomasz Moskal]

On Sun, 2011-02-13 at 15:51 +0100, tagnaq wrote:
 No you do not need to exclude them because your client will not use
 nodes with the BadExit flag as an exit node anyway. The torstatus
 website does not flag them, it just shows you that they have this flag
 because the DirectoryAuthorities flagged these nodes as badexits.

Now I'm even more confused! What is DirectoryAuthorities? Quick
googling yielded no results I can understand and Tor -alpha Manual is
not helpful on that matter either. Could you point me somewhere I can
find more informations about matters relating to exit nodes? I'm going
through archives of this mailing list and documents on Tor website but
there is *a lot* of informations in those places and it will take me
considerable amount of time to read all of it.

How someone can recognise if an exit node *might* be doing something
suspicious - like sniffing traffic for passwords? As far as I can tell
(with my limited knowledge that is!) it's by checking which ports the
node in question is making available. And if there are not the standards
one then it *could* do something nasty - which of course don't mean it
does. Could you clarify this whole rouge/bad/evil nodes matter?

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82




signature.asc
Description: This is a digitally signed message part

Re: Excluding exit nodes

[Tomasz Moskal]

On Sun, 2011-02-13 at 17:07 +0100, tagnaq wrote:
 https://www.torproject.org/docs/faq.html.en#KeyManagement
 (Coordination section)
 
 General Design Document:
 https://www.torproject.org/docs/documentation.html.en#DesignDoc
 https://svn.torproject.org/svn/projects/design-paper/tor-design.html
 (chapter 6.3)
 Note: This document is from 2004. Statements like new nodes must be
 approved by the directory server administrator before they are
included
 are no longer valid.
 

https://gitweb.torproject.org/tor.git/blob/HEAD:/doc/spec/dir-spec.txt#l142

Wow! This will keep me busy for quite a while! Thanks!

 Well this is currently a 'hot topic' and I refer you to the lengthy
 thread 'Is gatereloaded a Bad Exit?'.
 Short answer: you can not reliably detect passive sniffing.

Yes, I'm following 'Is gatereloaded a Bad Exit?' but at times it's
*very* confusing. Well, I won't worry about exit nodes until I won't
have better understanding of Tor and networking in general.

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82





signature.asc
Description: This is a digitally signed message part

Re: Yet another UDP / DNS quiestion...

[Tomasz Moskal]

 Could you describe your use case + thread model?

I'm terrible sorry for chaos I'm causing but right now I'm a very small
and confused person :-) Let me start from the beginning...

I'm using Privoxy + Tor combination. For Privoxy to properly handle
TCP/HTTP requests and send them over Tor network I have listen-address
127.0.0.1:8118 in my /etc/privoxy/config. Then, to make sure that
Privoxy will be used globally, I added those four lines
to /etc/environment:
http_proxy=http://127.0.0.1:8118/;
https_proxy=https://127.0.0.1:8118/;
HTTP_PROXY=$http_proxy
HTTPS_PROXY=$https_proxy
Now all TCP/HTTP traffic should go through Privoxy - Tor combination,
at least in theory. As I understand Wireshark is the tool I should use
to verify if that is what is happening in reality. I compiled Wireshark
but don't understand yet how to use it so I will come back to verify
routing of TCP/HTTP when I understand what I'm doing.
Next, I tried to use torsocks to make sure UDP/DNS requests are resolved
through Tor. To accomplish that I added to /etc/privoxy/config
forward-socks4a   /   127.0.0.1:9050 .
forward-socks5   /127.0.0.1:9050 .
My /etc/torsocks.conf looks like this:
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
local = 169.254.0.0/255.255.0.0
local = 172.16.0.0/255.240.0.0
local = 192.168.0.0/255.255.0.0
server = 127.0.0.1
server_port = 9050
But I have two problems with using torsocks:
1. Not all applications seems to be working with it, for example when I
try usewithtor empathy I'm getting Segmentation fault. Which is
probably due to the problems with rejecting UDP:

torsocks allows you to use most socks-friendly applications in a safe
way with Tor. It ensures that DNS requests are handled safely and
explicitly rejects UDP traffic from the application you're using. (from
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorifyHOWTO)

2. I would need to usewithtor every single application on my system to
make sure DNS requests are resolved through Tor.

Then I came around Transparently Routing Traffic Through Tor
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy.
 And this is where more confusion and problems started! What I want to achieve 
with this wiki is to make sure all UDP/DNS request will be send through Tor. 
Now I intend to follow Local Redirection Through Tor from mentioned wiki to the 
letter and that will hopefully resolve the case of leaking DNS. 


 # Block/reject all outgoing UDP traffic
  iptables -A OUTPUT -j REJECT
 This rule does not block UDP only, it rejects all traffic including
UDP
 (if a packets makes its way to the last line).
 
So if I will go ahead with set-up from Local Redirection Through Tor it
will allow out just the traffic going through Tor stopping any and every
kind of no-Tor traffic from leaving my machine. But if I want to allow
traffic from certain applications I could do it by setting up exception
in iptables, right? And furthermore, with this solution there will be no
need for me to use torsocks any more, yes?

  iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT
 Why did you add -p udp here? Tor uses TCP.
 
My mistake! Fixed now.

 I'm wondering why one would want to setup DNSPort configuration without
 TransPort.

That will be lack of knowledge on my part, I missunderstood informations
from wiki. I got confused by this comment
http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls#comment-80205
 which doesn't mention TransPort and thus I thought it is not necessary.

 
 I wonder why your uid should be different everytime you reboot, but you
 can also use the name of the user instead of the numerical value.
 
Well I can't tell you why but that how it is. To double check I rebooted
twice just now and ps -A | grep -w tor each time gave me different UID
for tor.

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82


signature.asc
Description: This is a digitally signed message part

Re: Yet another UDP / DNS quiestion...

[Tomasz Moskal]

On Sun, 2011-02-13 at 11:04 -0800, Robert Ransom wrote:

 That's a process ID, not a user ID.
Arrrgh! My brain is slowly melting. I think what I will do now is to
give up on Tor and attempts to understand it. I will explore more how to
properly and effectively use Linux. Then I shall delve some more into
basic concepts behind Internet Protocols and THEN, just then, I will
come back to Tor. Well, see you folks in a year or two!

-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82


signature.asc
Description: This is a digitally signed message part

Yet another UDP / DNS quiestion...

[Tomasz Moskal]

I feel that I should explain something before I start asking any
questions so here we go: I'm a fresh convert to Linux (barely few week
on Ubuntu!) and as much as I'm fascinated by the matters relating to
networking, security and anonymity in equal measure I'm intimidated by
them. I don't posses any deep knowledge of those topics, I still barely
can handle the basics. But with the wealth of knowledge out there and a
healthy dose of experimentation I intend to change this. So if my
questions are naive (or plainly stupid) please bear in mind that I'm new
here. And now for what is bordering me...

I was reading Transparently Routing Traffic Through Tor
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy 
and although I don't need to run Tor as transparent proxy I like the idea of 
routing the UDP/DNS requests to localhost. If I will reroute all those requests 
with iptables to the port on which Tor is listening I should have no problems 
with DNS leaking, right? That should do the trick then:

1. torrc 

DNSPort 53
DNSListenAddress 127.0.0.1

2. resolv.conf

nameserver 127.0.0.1

3. iptables 

iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT
--to-ports 53
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

I'm not an expert regarding iptables and 'man iptables' is *very*
frightening for someone who barely slides on the surface of all this.
From steep three above I sort of understand purpose of rules three and
four but rest of them... Are they needed in this example or they can be
safely omitted? If in fact they are required for this set-up to work
what is their purpose? I will of course replace $INT_IF and $TOR_UID
with required values.


-- 
Tomasz Moskal ramshackle.industr...@gmail.com
Encrypted mail preferred. Key ID: 2C323C82




signature.asc
Description: This is a digitally signed message part