Re: iptables and tor
On Feb 10, 2008 1:07 AM, dante <[EMAIL PROTECTED]> wrote: > Hi everyone, > > Has anyone given any thought as to what firewall rules to use on a linux > system running a tor server? Assuming that your tor daemon runs under a dedicated UID or GID (e.g. tor), you can use iptables -m owner --uid-owner tor (or --gid-owner tor) ...
Re: iptables and tor
Tom Hek schrieb: By default are all the private ranges already blocked in the exitpolicy. Yes, the private or non-routable nets. I should have been more precise what I meant. ;-) (or should have avoided the term "private") Suppose you have 87.78.1.170 as exit node and its subnet is 87.78.1.128/26. Suppose your organization has the net 87.78.1.1/24 and you have some services for internal use running on various hosts in that Class-C net. Then AFAIK you have to take care yourself of the appropriate exit policies, because tor can't possibly know this, e.g. explicitly disallow 87.78.1.1/24. Dominik
Re: iptables and tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 By default are all the private ranges already blocked in the exitpolicy. Dominik Schaefer wrote: > dante schrieb: >> Hi everyone, >> >> Has anyone given any thought as to what firewall rules to use on a linux >> system running a tor server? > If you operate a tor node within your private network und your network > offers > services which are not public or should not be public, then you should > remember that you create a tunnel in your local network by running tor. In > this case you have to ensure that the exit policies of the tor node are > set in > a way that nobody can exit from your tor node into you local net. > Additionally you can filter the relevant traffic originating from your > tor node. > > > Dominik > > > > Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkevdlUACgkQStmJ9+mkUHNdxwCeOjcYGMgP8vrmaKGTZIRx/7nh EqQAn1pfvH7X8+1f1QhcOPE0CfGKCKAG =7f0e -END PGP SIGNATURE-
Re: iptables and tor
dante schrieb: Hi everyone, Has anyone given any thought as to what firewall rules to use on a linux system running a tor server? If you operate a tor node within your private network und your network offers services which are not public or should not be public, then you should remember that you create a tunnel in your local network by running tor. In this case you have to ensure that the exit policies of the tor node are set in a way that nobody can exit from your tor node into you local net. Additionally you can filter the relevant traffic originating from your tor node. Dominik
Re: iptables and tor
> The packets coming in on Tor TLS tunnels are destined for your node. > They go up the stack through TCP and TLS to the Tor application > itself. Tor does its AES CTR encryption on the cells coming out of > these streams, and puts them in other streams based on the circuit > labels. Here they get TLS'd, packed into TCP segments and go out. > This means that packets going out after relaying have nothing to do > with packets coming in, so I don't think marking makes any difference. > This is clearly a positive point of Tor. Thanks Csaba, that's exactly what I was worried about and your information is reassuring. The usual allow/deny rules should be good enough. --- Anthony G. Basile, Ph.D. Director of Information Technology, D'Youville College, 320 Porter Ave. Buffalo NY, 14201
Re: iptables and tor
M wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Feb 09, 2008 at 07:07:26PM -0500, [EMAIL PROTECTED] wrote 0.8K bytes in 21 lines about: : Has anyone given any thought as to what firewall rules to use on a linux : system running a tor server? Besides the usual attacks against the In general, how would you protect a server with a public IP without tor? Common "default deny and allow only specified" rules which is used by any admin who has common sense? Can't think of anything else. Only allow incoming tcp traffic to Tor's dir- and listeningport and deny everything else? M The packets coming in on Tor TLS tunnels are destined for your node. They go up the stack through TCP and TLS to the Tor application itself. Tor does its AES CTR encryption on the cells coming out of these streams, and puts them in other streams based on the circuit labels. Here they get TLS'd, packed into TCP segments and go out. This means that packets going out after relaying have nothing to do with packets coming in, so I don't think marking makes any difference. This is clearly a positive point of Tor. What you could do is to allow Tor's ports (defaults or the ones defined in your torrc) to pass through your firewall, and deny/shadow others. You can also do some TCP stuff on these ports, trying to add some DoS resistance, change priority (see the post http://archives.seul.org/or/talk/Feb-2008/msg00047.html ), correct some TCP misbehavior ,etc. Otherwise, configure your exit policy well in the torrc, and hope that Tor respects it ;-) ... OK, it is open source, so you can even be sure about it :-) Csaba
Re: iptables and tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> On Sat, Feb 09, 2008 at 07:07:26PM -0500, [EMAIL PROTECTED] wrote 0.8K bytes >> in 21 lines about: >> : Has anyone given any thought as to what firewall rules to use on a linux >> : system running a tor server? Besides the usual attacks against the > > In general, how would you protect a server with a public IP without tor? > Common "default deny and allow only specified" rules which is used by any admin who has common sense? Can't think of anything else. Only allow incoming tcp traffic to Tor's dir- and listeningport and deny everything else? M -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHr0OoeaKwdrf2V0oRAhAlAJ45+6vNvT6xBKyCbl9pbLqsRiZAOwCaAiR1 0uCBRAj1VeQboDFCvDRQK1U= =i2EJ -END PGP SIGNATURE-
Re: iptables and tor
On Sat, Feb 09, 2008 at 07:07:26PM -0500, [EMAIL PROTECTED] wrote 0.8K bytes in 21 lines about: : Has anyone given any thought as to what firewall rules to use on a linux : system running a tor server? Besides the usual attacks against the In general, how would you protect a server with a public IP without tor? -- Andrew
iptables and tor
Hi everyone, Has anyone given any thought as to what firewall rules to use on a linux system running a tor server? Besides the usual attacks against the system itself, I'm particularly concerned with possible attacks against the tor network itslef which could be circumvented by proper firewall rules --- something like using the TCP options to "mark" tor packets so they can be tracked or similar hacks. I haven't investigated deeply, so my concerns may be misplaced --- perhaps the packets are sufficiently scrubbed when they are relayed by the routers's ssl connections and no further scrubbing by iptables is needed to enhance anonymity. Can anyone comment? --- Anthony G. Basile, Ph.D. Director of Information Technology, D'Youville College, 320 Porter Ave. Buffalo NY, 14201