[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: funneling a wireless net's outbound connections through tor

     On Mon, 01 Oct 2007 10:06:50 +0100 Mike Cardwell <tor@xxxxxxxxxxxxxxxxxx>
>Scott Bennett wrote:
>>>> I'm trying to set up a free wireless service for those of my neighbors
>>>> within range of a little wireless router I have.  To keep things safe for
>>>> me and at least somewhat safer for them, I want to route all the outbound
>>>> connections from that router through tor using pf under FreeBSD 6.2-STABLE
>>>> (i386).
>>> Do not do that.
>> I am going to do that and as soon as I can figure out how to do it
>> correctly.
>>> You should not make traffic go transparently through tor, unless the
>>> people using your network fully understand what tor is about, and what
>>> are the associated security risks (such as exit nodes performing MITM
>>> attacks on SSL certificates).
>> Thank you for your opinion, but it was not particularly relevant to
>> what I posted. First, please reread what I wrote.  I will be providing a *free
>> wireless access* service to my neighbors.  Even if I tell them *nothing*,
>> they will be better off than without the service.  They do not even have
>> to know that it is going through any sort of anonymizing process.  Just
>> the fact that they will have a free, if rather pokey, service available
>> will be an enhancement to my neighborhood.
>If you set up something like that you're opening up all sorts of attacks 
>against the people who use your service. If they don't know that all of 
>their plain text traffic can be read and modified by, "dodgy," exit 
>nodes, and almost certainly *will* be at some point...
     How will they be subject to any greater number of possible attacks
if their connections are funneled through tor than if they are not?  They
can go to any of several coffee shops in the area and use unencrypted,
completely unprotected, free or paid wireless services.  They just can't
do that at home.  If you see some way by which anonymizing their TCP
source addresses and their UDP port 53 (name service) packets' source
addresses when they access the Internet at home will cause them to suffer
more attacks than they will in any public location or, for that matter,
from a direct connection in their own dwelling if they had one, please
enlighten me.
     Aside from that, the only IP addresses that could conceivably be
discovered would either be the one temporarily assigned to my connection
or the one assigned on a private network by my wireless router via DHCP.
     In any case, I still would appreciate helpful information, so I'll
repeat my questions here, quoting from my original query:

->     dns-proxy-tor apparently uses the MAPADDRESS command via the tor
->control port, so it is also necessary to specify a VirtualAddrNetwork in
->torrc for dns-proxy-tor's use, so those instructions include an example of
->     However, I had been hoping to use DNSPort in torrc instead of running
->dns-proxy-tor.  Am I correct in thinking that I will not neet to specify a
->     A second question for someone who uses or has used pf under FreeBSD
->or OpenBSD involves the use of rdr commands to redirect the TCP connections
->from the interface connected to the wireless router's "WAN" port.  If the
->rdr changes the TCP or UDP packets' destination addresses to lo1's address
->(, how does tor know what the original destination is supposed
->to be?  I didn't find anything in the tor documentation or elsewhere to
->explain this.


                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *