Hello. I am trying to make a tor only allow traffic through onion services and exit nodes.
I would like to blacklist all domains first, as that is simple and does not
need to be updated,
then whitelist all onions and exits.
Reason: I am hosting an onion service, but I don't want any client traffic
comming from that
machine.
I've played with MapAddress, VirtualAddrNetworkIPV4, AutomapHostsOnResolve,
AutomaptHostsSuffixes, but nothing seems to work as intended above.
MapAddress *=127.0.0.1 does not report invalid conf, but the controller reports
it is using
invalid sytax because "*" be source or target.
I tricked the controller with MapAddress *.*=127.0.0.1, as every domain has a
dot, the controller
didn't report syntax error and this option is actually ignored.
If the above worked, then the next option would be the whitelisting:
MapAddress *.onion VIRTUAL_IP
Or possibly the AutomapHostsOnResolve 1 and AutomapHostsSuffixes .exit,.onion
would
handle that part hopefully.
I did the lazy way, the antivirus way, I downloaded the IANA TLD domain list
and used basic
string manipulation to make: MapAddress *.${domain} 127.0.0.1
And yes, as you may think, the list is huge that has to be on its own included
conf file, and also
prone to be outdated every time a new TLD is created. But it works, in a dumb
and prone to
mistakes, it works. Can this be done better? Not antivirus way of all is
permitted, some known
items are blocked. I would prefer all is blocked and some items are permitted.
The real objective was to block all non .onion and .exit targets coming from a
client, that the
controller reports with SOURCE_ADDR, but I didn't find an option to MapAddress
per client
or anything similar to that do manipulate addresses per client source, so that
is why I started doing this for all tor traffic, which is not what I really
want, but controlling targets per client.
publickey - [email protected] - 0xA972D64E.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
