[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] AORTA - others tried it?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] AORTA - others tried it?
From: alen.alen@xxxxxxxxxxxxxx
Date: Wed, 07 Feb 2018 12:13:26 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 07 Feb 2018 09:46:41 -0500
In-reply-to: <CAD2Ti28TqokJpoKeVtYQzpUHOMqJzbN0sSw=XyqP0txMDYmFJw@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20180202002035.Horde.BZ6e2se6MVHYVwVmEx8wRSZ@www.vfemail.net> <CAD2Ti28TqokJpoKeVtYQzpUHOMqJzbN0sSw=XyqP0txMDYmFJw@mail.gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Horde Application Framework 5

**Did anyone else check out AORTA or review its code?


One way for non coders to review it is to observe if the rulesets
it creates meets comprehensive expectations and makes sense.


I think these are its rules, copied from aorta.c, any opinions from experts?


const char *aorta_rules[] =
{
    // create an aorta chain inside the nat table

    "-t nat -N aorta",

    // DNS queries for onion addresses are resolved to an address in the
    // TOR_ONION_NETWORK range. traffic in this network must always be
    // processed by the local Tor daemon

"-t nat -A aorta -p tcp -m tcp -d " TOR_ONION_NETWORK " -jREDIRECT --to-ports " TOR_TCP_PORT,


    // do not touch non-routable addresses, except for DNS traffic

    "-t nat -A aorta -d 127.0.0.0/8    -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 127.0.0.0/8    -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 10.0.0.0/8     -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 10.0.0.0/8     -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 192.168.0.0/16 -p tcp -m tcp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 172.16.0.0/12  -p udp -m udp ! --dport 53 -j RETURN",
    "-t nat -A aorta -d 172.16.0.0/12  -p tcp -m tcp ! --dport 53 -j RETURN",

    // redirect to local Tor daemon

    "-t nat -A aorta -p tcp -m tcp -j REDIRECT --to-ports " TOR_TCP_PORT,

"-t nat -A aorta -p udp -m udp --dport 53 -j REDIRECT --to-ports" TOR_DNS_PORT,

// output traffic from processes inside our cgroup is processedby aorta chain


    "-t nat -A OUTPUT -m cgroup --cgroup " AORTA_CGROUP_CLASSID " -j aorta",
    0
};





-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!

$24.95 ONETIME Lifetime accounts with Privacy Features!15GB disk! No bandwidth quotas!Commercial and Bulk Mail Options!--

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] AORTA - others tried it?
  - From: alen . alen
- Re: [tor-talk] AORTA - others tried it?
  - From: grarpamp

Prev by Author: Re: [tor-talk] AORTA - others tried it?
Next by Author: Re: [tor-talk] AORTA - others tried it?
Previous by thread: Re: [tor-talk] AORTA - others tried it?
Next by thread: Re: [tor-talk] AORTA - others tried it?
Index(es):
- Author
- Thread