[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Firewall / NAT misconfiguration = Tor
- To: or-talk@xxxxxxxxxxxxx
- Subject: Firewall / NAT misconfiguration = Tor
- From: Roc Admin <onionroutor@xxxxxxxxx>
- Date: Sat, 24 Oct 2009 18:58:49 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Sat, 24 Oct 2009 19:27:29 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=kabzJ+gymgFi7SdSM+gxmdp04V4iAm2/9rGrqxD86BQ=; b=d60GlB58bOyQ+vmglwwpBYp1obpd0k5lgMK9pHS5i2xuSMIvH9Ck1VIYfcQffm3Iqy gy6crO+jVXiyIp84IUO5/Xe28OIi279OjgXmcP2bWJFvg//tmTv0QWevazy1eZoQdn8V DLWTfkX0v83HDLnMgpFoLCrzunLqMzjwFEmlk=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=bM7a/3mxikMrAMBVbVnxqaJSC46COiH7k6dFmN/fe32+ouJnzqqbTXp5TeitUSQ54N ffgai5AVHgC9+AvACeqAqRr42sKSE01FR64vSxlCYsAQQHgeIhiBJShlbcTPod9i+CAk uAJ+3FhhnLLaja7NYqHXww8rX6ak5jsalta5o=
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
This is not exactly on topic but because it involves Tor I was hoping
someone else may know some more informationI'll give you my question
first and you can read the details after if it's something you might
be able to help with.
If a person misconfigures their firewall so that their NAT policy
forwards to an internal IP and then makes a firewall rule to allow all
traffic inbound, would it be possible for an attacker to hijack that
connection and use it to connect to a Tor server?
I have a client running pFSense for their firewall and they
misconfigured it so that a NAT policy was created to setup port
forwarding of port 443 to an internal server. He then made a firewall
rule to allow any protocol from any source to connect to anything
inbound or outbound. Obviously wrong.
He noticed a lot of traffic involving TCP 9001 and reverse look ups
showed connections to Tor exit nodes. We fixed the firewall issue as
soon as we found it and the Tor connections stopped.
There are two computers on the network and neither are running Tor and
netstat didn't show any attempts to connect out. (I know this isn't
indepth but it's at least an attempt) Would it be possible that an
attacker could be hijacking the firewall to make outbound connections
thereby creating a proxy server before he joins a Tor server?
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/