[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Firewall / NAT misconfiguration = Tor

This is not exactly on topic but because it involves Tor I was hoping
someone else may know some more informationI'll give you my question
first and you can read the details after if it's something you might
be able to help with.

If a person misconfigures their firewall so that their NAT policy
forwards to an internal IP and then makes a firewall rule to allow all
traffic inbound, would it be possible for an attacker to hijack that
connection and use it to connect to a Tor server?

I have a client running pFSense for their firewall and they
misconfigured it so that a NAT policy was created to setup port
forwarding of port 443 to an internal server.  He then made a firewall
rule to allow any protocol from any source to connect to anything
inbound or outbound. Obviously wrong.

He noticed a lot of traffic involving TCP 9001 and reverse look ups
showed connections to Tor exit nodes.  We fixed the firewall issue as
soon as we found it and the Tor connections stopped.

There are two computers on the network and neither are running Tor and
netstat didn't show any attempts to connect out.  (I know this isn't
indepth but it's at least an attempt)  Would it be possible that an
attacker could be hijacking the firewall to make outbound connections
thereby creating a proxy server before he joins a Tor server?
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/