[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Security concerns/help me understand tor



On Wed, Nov 07, 2007 at 08:20:37AM -0800, Martin
Fick wrote:
> My home router offers an http administration
> console on port 80 which for obvious security
> reasons is normally only accessible from the
> internal facing side of the router.  While
> many of these home routers typically have an
> internal private IP such as 192.168.1.1 and
> an external public IP, they sometimes respond
> to both IPs from the inside and sometimes they
> even allow access to the administration console
> on the external IP if it is accessed from the
> internal side of the router (mine does).  This
> would not normally be a problem, but add a tor
> exit server to the inside of a home network
> serviced by such a router and ...you can
> probably guess where I am going with this.

...
--- Kyle Williams <kyle.kwilliams@xxxxxxxxx> wrote:
>
> If anyone is concerned about this, and you should
> be add the following to your torrc.
>
> ExitPolicy reject <YOUR_EXTERNAL_IP>:*
>
> Obviously replacing <YOUR_EXTERNAL_IP> with your
> real IP address...not your internal (LAN) IP
address.

...
--- Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote:
>
> I run a few services on the net. I like the idea
> that if I run a Tor server on the same machine
> (on the same interface, with the same IP) as
> my service, people using Tor will prefer my node as
> their exit node. This allows me to provide services
> indirectly to the Tor network without very much
> effort. Smart routing is neato. This is a
> feature and a pretty neat one at that.

...
--- Ruben Garcia <ruben@xxxxxx> wrote:
> Perhaps it might be possible to tell tor about the
> router's nat policy so that if the router is
> supposed to port forward the external request
> to <ipA>:<portA>, tor does it itself.
> That way, the problematic
>
> host->tor->tor->your host tor->router->your host web
>
> can become
>
> host->tor->tor->your host tor->your host web
>
> (This requires some changes to the torrc and tor
> source, so I'd like to add it to the feature
> request list in case somebody has free time)


This seems like a nice valid option, spoofing
the external IP from within the tor exit node?
In other words if the web internal IP is say:
192.168.1.2, any request for the external
IP through the tor exit would actually yield
a request directly to the web server's internal
IP, 192.168.1.2, instead?

That sounds like a nice feature to be able to
get the best of both worlds: 1) security for
the relay operator and 2) for users accessing
the NATed web site!

Naturally this should be configurable for
specific ports only.  Of course, adding an
IP spoofing mechanism directly to tor exit
nodes makes it that much easier for IPs in
general to be spoofed by exit nodes! :(


-Martin


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com