> On 04/22/2012 01:25 AM, torsi...@tormail.org wrote: >> >> Hi, >> >> Is there anything to worry about if using curl with the below >> configuration? >> (I don't want to use a virtual machine) >> >> Only debian-tor can go online: >> iptables -F OUTPUT >> iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor >> iptables -A OUTPUT -j ACCEPT -o lo >> iptables -A OUTPUT -j ACCEPT -p udp --dport 123 >> iptables -P OUTPUT DROP > > Just to make sure, add explicit blocking of DNS at the beginning (might > add -m > owner --uid-owner debian-tor if you want): > > iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECT > iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECT
iptables -P OUTPUT DROP will drop anything not allowed in the above rules. I don't see the need to add more rules for DNS. They get dropped anyway. > > REJECT is IMHO better than DROP for outgoing connections, since you won't > have > to wait for application to detect timeout. That's a good point for outgoing traffic. :-) > >> >> curl is used like this: >> >> curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O >> http://download.testfile > > Use --header to add any additional headers until your request has > identical > headers to TBB (adding headers is easy, removing might be harder). > >> I guess there is no way that curl can leak the real IP address. Any >> objections? > > I can't say for sure, but it likely won't leak your IP for http/https > protocols. > Only way to make sure would be thoroughly reading the source. I see no way how curl could get the public IP address without root privileges. Thank you Ondrej for your point of view. > > Ondrej > >> >> >>> Hm, you're right, wget 1.12 does not leak DNS if you use http protocol. >>> I >>> just >>> realized I tested it also with https when the leak happened (wget >>> requires >>> explicit 'https_proxy' to use CONNECT for https even if you use the >>> same >>> http >>> proxy). >>> >>> Ondrej >>> >>> On 04/19/2012 10:54 PM, torsi...@tormail.net wrote: >>>> Hi, >>>> >>>> I cannot confirm that wget (v1.12) is sending any DNS resolve when >>>> using >>>> it this way: >>>> >>>> wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c >>>> http://download.test >>>> >>>> Wireshark does not show any UDP traffic. >>>> >>>> I will check out curl. I like the idea of not using a http proxy in >>>> between. >>>> >>>> Thanks for the post. :-) >>>> >>>>> On 04/18/2012 11:40 PM, torsi...@tormail.net wrote: >>>>>>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <m...@dee.su> wrote: >>>>>>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom >>>>>>>> <rransom.8...@gmail.com> >>>>>>>> wrote: >>>>>>>>> Which version of wget did you audit? What information leaks did >>>>>>>>> you >>>>>>>>> check for during your audit? >>>>>> Hi, >>>>>> >>>>>> How can I check what information wget is transmitting? I used >>>>>> wireshark >>>>>> and filtered to see only the traffic sent from wget to >>>>>> localhost:8118 >>>>>> but >>>>>> I'm not a network expert and I don't know how to interpret the data. >>>>>> >>>>>> Anybody has deeper network knowledge? >>>>> >>>>> I've just checked wget, it does leak DNS even with http_proxy >>>>> environment >>>>> variable set. >>>>> >>>>> How to check: >>>>> >>>>> 1. Run wireshark >>>>> 2. Select "Pseudointerface (any)" unless you know which interface to >>>>> look >>>>> at >>>>> 3. Put "dns" into the Filter field and click "Apply" button >>>>> >>>>> DNS is easy to spot since it's almost always going to UDP port 53 >>>>> (exceptions >>>>> are really rare). >>>>> >>>>> Then you'll see what DNS queries your host did at the time (obviously >>>>> it's >>>>> best >>>>> to turn off any other program that could interfere in the >>>>> measurement). >>>>> >>>>> These things can change on version-to-version basis of the same >>>>> software, >>>>> so >>>>> it's always best to check your actual version with wireshark. >>>>> >>>>> Though curl is much better than wget in all recent versions at least, >>>>> this >>>>> does >>>>> not leak DNS (--socks5-hostname is the important part; Tor SOCKS5 >>>>> proxy >>>>> is >>>>> expected to run at port 9050): >>>>> >>>>> curl --socks5-hostname localhost:9050 >>>>> "http(s)://somesite.wherever/rest_of_url" >>>>> >>>>> Ondrej >>>>> _______________________________________________ >>>>> tor-talk mailing list >>>>> tor-talk@lists.torproject.org >>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>>>> >>>> >>>> >>>> _______________________________________________ >>>> tor-talk mailing list >>>> tor-talk@lists.torproject.org >>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>>> >>> >>> _______________________________________________ >>> tor-talk mailing list >>> tor-talk@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>> >> >> >> _______________________________________________ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> > > _______________________________________________ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk