[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Blacklist all domains, whitelist .onion,.exit



Hello.

I am trying to make a tor only allow traffic through onion services and exit nodes.

I would like to blacklist all domains first, as that is simple and does not need to be updated,
then whitelist all onions and exits.

Reason: I am hosting an onion service, but I don't want any client traffic comming from that
machine.

I've played with MapAddress, VirtualAddrNetworkIPV4, AutomapHostsOnResolve,
AutomaptHostsSuffixes, but nothing seems to work as intended above.

MapAddress *=127.0.0.1 does not report invalid conf, but the controller reports it is using
invalid sytax because "*" be source or target.
I tricked the controller with MapAddress *.*=127.0.0.1, as every domain has a dot, the controller
didn't report syntax error and this option is actually ignored.

If the above worked, then the next option would be the whitelisting:
MapAddress *.onion VIRTUAL_IP
Or possibly the AutomapHostsOnResolve 1 and AutomapHostsSuffixes .exit,.onion would
handle that part hopefully.

I did the lazy way, the antivirus way, I downloaded the IANA TLD domain list and used basic
string manipulation to make: MapAddress *.${domain} 127.0.0.1
And yes, as you may think, the list is huge that has to be on its own included conf file, and also
prone to be outdated every time a new TLD is created. But it works, in a dumb and prone to
mistakes, it works. Can this be done better? Not antivirus way of all is permitted, some known
items are blocked. I would prefer all is blocked and some items are permitted.

The real objective was to block all non .onion and .exit targets coming from a client, that the
controller reports with SOURCE_ADDR, but I didn't find an option to MapAddress per client
or anything similar to that do manipulate addresses per client source, so that is why I started doing this for all tor traffic, which is not what I really want, but controlling targets per client.

Attachment: publickey - nyxnor@protonmail.com - 0xA972D64E.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev