[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ports required for Tor and hidden services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ports required for Tor and hidden services
From: Forst <forst@xxxxxxxxxx>
Date: Sun, 09 Feb 2020 02:10:04 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 09 Feb 2020 15:13:33 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=waifu.club; s=mail; t=1581214208; bh=6Y5z3T1bg/qNotS+VhUSXN+HP9nF8kv/sD7742SD3Bw=; h=Date:From:To:Subject:In-Reply-To:References:From; b=FSjob9H0Zig7LGO2NVbCXpmHa0hwF4fitIEZWUCJx4WG7b9wUS6QDXY5mURw/xLI2 2lGXwBt9JQT68cyQsilgcgB1YExOs7RFHAVZyFdO3kT0I/CYnqw+CfCzC/uKMgpfCs 5pBkJxyXu5etPJgXqOf1glHOIbvf1+Dcv4OyxRCIsPSM6Ymhdp6cwK/XyVdSN1QhgU vUInM5R8BS3OxrXspLsGSYsDpdJz+nJkl3sj/J7Us42HcstGm/qjaBx6xxkDGfoDnh XfxQd8dLXtR9DePKTq+wObedQZAQAGDJgYmCDcCE5RDLC2CbTZt1HJzwr5tS9YmTwe v4lQCL9ltOHJg==
In-reply-to: <c321c92f-6aa5-7919-6492-7617e3c44dc7@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <192279a3245791e32d54d711e933483d@waifu.club> <87muael7d3.fsf@riseup.net> <c7aa208378e43ee6790a4db3c8788f93@waifu.club> <20200124141907.GA15263@inner.h.apk.li> <b38c79d060288065d6b1451f23a10de7@waifu.club> <5E2E7AD4.4010706@copper.net> <c321c92f-6aa5-7919-6492-7617e3c44dc7@riseup.net>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.3.10

On 2020-01-28 01:17, Mirimir wrote:

On 01/26/2020 10:53 PM, Jim wrote:

Forst wrote:

In that case, what would be best approach to achieve that all traffic
is forced though Tor and direct internet connection blocked,
preferably even if/when the system is breached?


Roger gave a good reply for the case where the system is not breached.

But if your firewall is on the same system as the hidden service andan

attacker gets root then nothing can save you since the attacker could
alter the firewall at will.  The only exception I can think of is
SELinux *might* provide a mechanism to prevent this but I am not
familiar with it.

Jim


If you're that paranoid, you can use the Whonix model. Basically, run
the Tor process and firewall on one machine, with requisite ports
exposed on an isolated LAN. And run the web server on another machine,

connected via that LAN. So nothing on that machine can see theInternet,

except through Tor.

If you control physical access, it's most secure for those to be
separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
VMs on some KVM VPS, although it's a little sluggish.

I don't have the hardware for physical isolation (kind of), but I canuse a router which is basically a Linux box that could do the actualfirewalling and re-directing traffic on a LAN to a Tor client running onthe router rather than in the actual server machine.

Altough I would prefer an approach where the actual Tor client is on theserver machine.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview - Magneto
Next by Author: [tor-talk] Validating the DA authority document
Previous by thread: Re: [tor-talk] TBB "Security Level" Question.
Next by thread: [tor-talk] New alpha release: Tor 0.4.3.2-alpha
Index(es):
- Author
- Thread