[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: iptables and tor
The packets coming in on Tor TLS tunnels are destined for your node.
They go up the stack through TCP and TLS to the Tor application itself.
Tor does its AES CTR encryption on the cells coming out of these
streams, and puts them in other streams based on the circuit labels.
Here they get TLS'd, packed into TCP segments and go out.
This means that packets going out after relaying have nothing to do with
packets coming in, so I don't think marking makes any difference. This
is clearly a positive point of Tor.
-----BEGIN PGP SIGNED MESSAGE-----
In general, how would you protect a server with a public IP without tor?
On Sat, Feb 09, 2008 at 07:07:26PM -0500, dante@xxxxxxxxxxxxxxxxxxx wrote 0.8K bytes in 21 lines about:
: Has anyone given any thought as to what firewall rules to use on a linux
: system running a tor server? Besides the usual attacks against the
Common "default deny and allow only specified" rules which is used by
any admin who has common sense? Can't think of anything else.
Only allow incoming tcp traffic to Tor's dir- and listeningport and deny
What you could do is to allow Tor's ports (defaults or the ones defined
in your torrc) to pass through your firewall, and deny/shadow others.
You can also do some TCP stuff on these ports, trying to add some DoS
resistance, change priority (see the post
http://archives.seul.org/or/talk/Feb-2008/msg00047.html ), correct some
TCP misbehavior ,etc.
Otherwise, configure your exit policy well in the torrc, and hope that
Tor respects it ;-) ... OK, it is open source, so you can even be sure
about it :-)