[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: funneling a wireless net's outbound connections through tor
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: funneling a wireless net's outbound connections through tor
- From: tup <tup.tuple@xxxxxxxxxxxxxx>
- Date: Tue, 2 Oct 2007 03:54:56 +0000
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Mon, 01 Oct 2007 23:55:05 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=mcyTe1+Z7T0tkZ142sXuMoRM4Cfc+RViWcKpUsC+juQ=; b=C9mwBUCa0JWc5SqVSS/WX0BWeQ/RvIbaSIfTMPVqtNR+N98WKYo0RDriFg6Pc10p+ZraEeFpG/P3loqQbNuBq9E7KbUmnjxypVxcJ5reYXEVmnD0gVFAJTq+RGcdQAeepk/7WKUKOtvcFihcoOntzNUVvxp3mwPsvFs6UR0OfjI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tfZPU7+KD/I8nsE6gDAe3vDXtrmNckLz3glQJUQCYUsKw8qb/mDiiaTxhDPyHoKmI/94Be7WjZISEAPGaw3AZUhmXqPkJpgVhhnbPJxboFNUptTf7aKODU5zW6dCzDhH54ua9uR47EYGznliM2qalkGwBqetDXA6riwdr9m8EM4=
- In-reply-to: <200709282135.l8SLZcTp001175@xxxxxxxxxxxxx>
- References: <200709282135.l8SLZcTp001175@xxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On 9/28/07, Scott Bennett <bennett@xxxxxxxxxx> wrote:
> I'm trying to set up a free wireless service for those of my neighbors
> within range of a little wireless router I have. To keep things safe for
> me and at least somewhat safer for them, I want to route all the outbound
> connections from that router through tor using pf under FreeBSD 6.2-STABLE
> (i386). In order to keep such traffic distinguishable from my own local
> traffic, I intend to route it to tor on a second loopback interface (lo1).
> I've looked at instructions for doing something like this at
>
> http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
The second loopback interface is simply a kludge I found that allows
pf to apply rdr rules to locally-originated traffic. You don't need it if
you're only trying to redirect others' traffic; see section 3.2 in that
wiki page.
> dns-proxy-tor apparently uses the MAPADDRESS command via the tor
> control port, so it is also necessary to specify a VirtualAddrNetwork in
> torrc for dns-proxy-tor's use, so those instructions include an example of
> VirtualAddrNetwork.
> However, I had been hoping to use DNSPort in torrc instead of running
> dns-proxy-tor. Am I correct in thinking that I will not neet to specify a
> VirtualAddrNetwork?
You'll still want to set VirtualAddrNetwork to an unused, private
address space so that .onion and .exit names will resolve to routable
addresses when you specify 'AutomapHostsOnResolve 1'.
> A second question for someone who uses or has used pf under FreeBSD
> or OpenBSD involves the use of rdr commands to redirect the TCP connections
> from the interface connected to the wireless router's "WAN" port. If the
> rdr changes the TCP or UDP packets' destination addresses to lo1's address
> (127.0.0.2), how does tor know what the original destination is supposed
> to be? I didn't find anything in the tor documentation or elsewhere to
> explain this.
This is a platform-specific implementation detail, which explains why
it's not documented. What happens is that the route-to rule routes
traffic to lo1, where the rdr rule actually rewrites the destination
address and port to 127.0.0.1:9040. The original destination is kept
around in the connection state table, so it can be looked up by Tor
with the right ioctl(2) command on /dev/pf; see pf(4).
tup