[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] AORTA - others tried it?



**Did anyone else check out AORTA or review its code?

One way for non coders to review it is to observe if the rulesets
it creates meets comprehensive expectations and makes sense.

I think these are its rules, copied from aorta.c, any opinions from experts?


const char *aorta_rules[] =
{
    // create an aorta chain inside the nat table

    "-t nat -N aorta",

    // DNS queries for onion addresses are resolved to an address in the
    // TOR_ONION_NETWORK range. traffic in this network must always be
    // processed by the local Tor daemon

"-t nat -A aorta -p tcp -m tcp -d " TOR_ONION_NETWORK " -j REDIRECT --to-ports " TOR_TCP_PORT,

    // do not touch non-routable addresses, except for DNS traffic

    "-t nat -A aorta -d 127.0.0.0/8    -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 127.0.0.0/8    -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 10.0.0.0/8     -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 10.0.0.0/8     -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 192.168.0.0/16 -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 172.16.0.0/12  -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 172.16.0.0/12  -p tcp -m tcp ! --dport 53 -j RETURN",

    // redirect to local Tor daemon

    "-t nat -A aorta -p tcp -m tcp -j REDIRECT --to-ports " TOR_TCP_PORT,
"-t nat -A aorta -p udp -m udp --dport 53 -j REDIRECT --to-ports " TOR_DNS_PORT,

// output traffic from processes inside our cgroup is processed by aorta chain

    "-t nat -A OUTPUT -m cgroup --cgroup " AORTA_CGROUP_CLASSID " -j aorta",
    0
};





-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! --
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk