[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ports required for Tor and hidden services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ports required for Tor and hidden services
From: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Date: Sun, 26 Jan 2020 23:52:07 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 26 Jan 2020 23:52:21 -0500
In-reply-to: <b38c79d060288065d6b1451f23a10de7@waifu.club>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <192279a3245791e32d54d711e933483d@waifu.club> <87muael7d3.fsf@riseup.net> <c7aa208378e43ee6790a4db3c8788f93@waifu.club> <20200124141907.GA15263@inner.h.apk.li> <b38c79d060288065d6b1451f23a10de7@waifu.club>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.10.1 (2018-07-13)

On Sat, Jan 25, 2020 at 01:30:34PM +0000, Forst wrote:
> In that case, what would be best approach to achieve that all traffic is
> forced though Tor and direct internet connection blocked, preferably even
> if/when the system is breached?

Here are two approaches that are worth exploring:

(A) Set the iptables rules so only the tor process can get through
the firewall. This is how Tails does it, I believe. This way you're
firewalling based on what user is trying to make the connection, rather
than what destination they're trying to reach. More info at
https://tails.boum.org/contribute/design/Tor_enforcement/

(B) Pick a bridge that you know you like, and configure your Tor to
use that, and configure your firewall to only allow connections to
that bridge. More info on this approach at
https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.html
https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.html
("The best design we've been able to come up with is one that forces
you to be using Tor on your side, and only allows your traffic through
if it's coming from Tor.")

I guess there is also (C) do both.

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Ports required for Tor and hidden services
  - From: Forst
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: George Kadianakis
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Forst
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Andreas Krey
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Forst

Prev by Author: Re: [tor-talk] Are "StrictNodes 1" actually strict?
Next by Author: Re: [tor-talk] Help setting up tor dos defense
Previous by thread: Re: [tor-talk] Ports required for Tor and hidden services
Next by thread: Re: [tor-talk] Ports required for Tor and hidden services
Index(es):
- Author
- Thread