[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] ORBot-like app for Mac/Windows

On 05/03/11 22:35, tor@xxxxxxxxxxxxxxxxxx wrote:
On 03/05/2011 20:02, Jerzy Åogiewa wrote:


interface is great -- why not something like this for mac (and even windows too) ? it would be handy on a mac to selectively torify apps!
The reason it is possible on Android is because each app runs under it's
own user id.

netfilter/iptables has an "owner" module. Assuming you're using the Tor
TransPort directive on port 9040, you could torify uid 1234 under Linux
with this command (untested):

iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT
--to-ports 9040

Then the outgoing connections of any app running under uid 1234 are
forwarded to local port 9040 and "torrified."

This doesn't really translate to OSX or Windows or even normal Linux
desktop usage.

At least, this is how I'm assuming Orbot does it. I know this is how
DroidWall handles applying firewall rules for different apps...

_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Yep, this is exactly how Orbot does things (apart from the fallback "proxy by port" option, which is sub-optimal).

Jerzy: If you would like to learn more about that principle (and also how it can - theoretically - be used on desktops), see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy .
Unfortunately, in desktop systems, (nearly) all processes are created by a small number of users, and while it's (at least for GNU/Linux) possible to force every process - or at least all the programs you call from your graphical menu - into its own UID, it'd require a vast amount of modifications to things that shouldn't concern Tor. The approaches I'm coming up with ad hoc are all so horribly wrong, insecure and unportable that just thinking of some fool implementing anything of that caliber makes me reach for the clue-by-four.

It might be possible - since there are firewalls for both Mac and Windows that can filter by application (Apple calls it "Application Firewall" and I remember various Windows FWs having such functionality), they should also be able to redirect them. It might be possible to implement an application based redirection on Linux, but probably only in a very crude manner (there's a project called TuxGuardian which apparently uses application based filtering, but it looks unmaintained, last update was 5 years ago).

To sum it up (from my half-informed point of view): It's theoretically possible, but the effort required for this usability enhancement would simply be too much. As all multi-platform tools, Tor tries to use common designs and functions across all systems and only employ platform-specific glue when necessary, and there is no common framework for application-based filtering/redirection.
tor-talk mailing list