[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] corridor, a Tor traffic whitelisting gateway
14.02.2014 15:12, Rusty Bird:
> ## Principle of operation
>
> 1. Either run the corridor-data-consensus daemon script, which opens a
> Tor control connection and subscribes to NEWCONSENSUS events
> (announcements listing all public relays), or pipe any number of
> "Bridge" lines into corridor-data-bridges.
> 2. That data gets sent to corridor-helper-update, which atomically
> updates a Linux ipset (a list of IP-address:TCP-port entries accessible
> in constant time) named tor_relays.
Atomically is anatomically acceptable, but automatically appear to be
adequate.
(There's a spelling mistake and playing with words is fun. The sentences
is full of a's for that purpose.)
>
> ## Pitfalls
>
> **To be secure, your new gateway needs two separate network
> interfaces**, like two Ethernet NICs, or one WiFi radio and one DSL
> modem. One is to receive incoming traffic from client computers, the
> other one is to pass the filtered traffic towards the global internet,
> **and they need to be on different networks**: Clients must not be able
> to take a shortcut via DHCP, DNS, ICMP Redirect requests, and who knows
> what else.
Isn't this the most limiting factor?
How many systems have two separate networks? (Network interfaces might
be achievable easier)
Regards,
Sebastian G. (bastik)
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk