[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and iptables.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and iptables.
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Mon, 12 Dec 2016 01:52:22 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Dec 2016 03:52:42 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1481532746; bh=trVkc+nJRX6UpjGHlO+ASv2AquKdqxtG6i2wjdDiAXU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=PSsorKIer9ptfrR8Js3D2AQvMtOZQFEmPUNXR2xz7Y71UaiL2gHoPc4dETFg7jhP7 ODGRUKOFcVnaYTqdwDCn/Yl3qWINsClnLkSS6NA+Rmw3diE2snPrmRFCRoISv6j+Pa VvAgbkj0QyBVXW4jnccsoiy8AF9tuIc944neJRCw=
In-reply-to: <20161212081413.GA2293@parckwart.de>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <2087095161.313118.1481379364507.ref@mail.yahoo.com> <2087095161.313118.1481379364507@mail.yahoo.com> <e2c42d58-89ba-82db-0393-2bc8672db36a@riseup.net> <20161212064407.GA29613@parckwart.de> <06ffb88d-eded-baee-37d2-ade0b9d32c42@riseup.net> <20161212081413.GA2293@parckwart.de>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 12/12/2016 01:14 AM, Jonathan Marquardt wrote:
> On Mon, Dec 12, 2016 at 12:12:54AM -0700, Mirimir wrote:
>> Oops. Sorry. I'm used to straight Tor and Whonix. So how does one lock
>> down Tor using Tor browser?
> 
> Well, given the way OP phrased his question, I just assumed he wanted to 
> prevent any unwanted input to his system, which is why I gave him a simple 
> ruleset which allows any output.

Right. But I'm more paranoid about restricting output, given that
phone-home malware is now a routine risk.

> If you want to filter output as well but allow Tor Browser to work, I see two 
> ways to accomplish that:
> 
> - Go with the seperate user method: Create a seperate user just to run Tor 
>   Browser and allow output for just this user. You could launch Tor Browser as 
>   this user using gksudo or kdesudo.

Thanks :)

> - Configure a bridge for Tor Browser to use and allow output to just this 
>   bridge filtering by IP adress as well as port.

That seems more complicated.

Sorry about missing the typo in my initial reply. It _was_ an invalid
rule. But accepting lo is necessary with default deny, right?

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt

References:
- [tor-talk] Tor and iptables.
  - From: Jason Long
- Re: [tor-talk] Tor and iptables.
  - From: Mirimir
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt
- Re: [tor-talk] Tor and iptables.
  - From: Mirimir
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt

Prev by Author: Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor
Next by Author: Re: [tor-talk] Tor and iptables.
Previous by thread: Re: [tor-talk] Tor and iptables.
Next by thread: Re: [tor-talk] Tor and iptables.
Index(es):
- Author
- Thread