[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ports required for Tor and hidden services

On 2020-01-28 01:17, Mirimir wrote:
On 01/26/2020 10:53 PM, Jim wrote:
Forst wrote:
In that case, what would be best approach to achieve that all traffic
is forced though Tor and direct internet connection blocked,
preferably even if/when the system is breached?

Roger gave a good reply for the case where the system is not breached.
But if your firewall is on the same system as the hidden service and an
attacker gets root then nothing can save you since the attacker could
alter the firewall at will.  The only exception I can think of is
SELinux *might* provide a mechanism to prevent this but I am not
familiar with it.


If you're that paranoid, you can use the Whonix model. Basically, run
the Tor process and firewall on one machine, with requisite ports
exposed on an isolated LAN. And run the web server on another machine,
connected via that LAN. So nothing on that machine can see the Internet,
except through Tor.

If you control physical access, it's most secure for those to be
separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
VMs on some KVM VPS, although it's a little sluggish.

I don't have the hardware for physical isolation (kind of), but I can use a router which is basically a Linux box that could do the actual firewalling and re-directing traffic on a LAN to a Tor client running on the router rather than in the actual server machine.

Altough I would prefer an approach where the actual Tor client is on the server machine.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to