[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Is it possible to firewall Tor traffic with a hardware firewall?

One possible solution would be to run Tor on the firewall/router instead of the PC/server, and configure the HiddenServicePort to point to the PC that is running the service you want hidden.
You would also want to make sure that the firewall/router is routing all traffic from the hidden service PC to Tor's TransPort, which should also be configured in your torrc. As long as all incoming and outgoing traffic is routed through the Tor network, the likely hood of having a successful side channel attack reveal your real IP is slim.

Two network cards would be required to reduce the possibility of side channel attacks. One for the PC(s) that you want to have running the hidden service, and the other one connecting to the Internet.  I've previously worked on a project for this type of security, and have a few diagrams which may or may not be the type of setup you're looking for.
http://januspa.com/docs.html

Here's an example script you would want to run on the firewall/router (assuming it's running linux).  Modify for your security requirements accordingly.

#!/bin/bash
IPTABLES="/usr/bin/iptables"
EXTIF="eth0"
INTIF="eth1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# REDIRECT DNS REQUEST TO TOR'S DnsPort
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to 53

# REDIRECT HTTP REQUEST TO PRIVOXY/SQUID, WHICH THEN USES TOR (OPTIONAL)
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to 8888

# REDIRECT EVERYTHING ELSE TO TOR'S TransPort
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -j REDIRECT --to 9095

# DROP EVERYTHING ELSE (ICMP, UDP, ETC...)
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j DROP

######################################################################################
 
Do you think a setup like this would work for your needs?

Best regards,
Kyle

On Sat, Oct 30, 2010 at 3:29 AM, <hikki@xxxxxxxxxxxxx> wrote:
To make side channel attacks more difficult, especially for those who
don't use virtual machines to run their hidden services, I was thinking
about using a hardware firewall between the Tor computer and the Internet modem.
The hardware firewall can do IP based blocking, meaning that you
can decide what IP address the Tor computer can connect to only.
Like adding custom entry nodes in the Tor's config file and then put
those IP addresses in the hardware firewall's rules so you can only
connect to those, and no other IP.

But there's a problem doing this. Sometimes Tor needs to connect to a
directory server (if I've understood it right?) to update its directory list.
And it doesn't connect to your exclusive entry node list for that.
It seems, from the firewall's internal log, that it tries a lot of random
IP's for that. So eventually your Tor engine will stop working or you
can't restart it as long as the firewall blocks all outgoing traffic
except for your entry node's IP addresses.

Is there a way to make this possible, so you can IP filter your Tor
computer and lock its connections only to your entry nodes and directory servers?
Or is this impossible?
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/