[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] almost success toward complete tor enforcement, need little help now

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] almost success toward complete tor enforcement, need little help now
From: adrelanos <adrelanos@xxxxxxxxxx>
Date: Tue, 18 Sep 2012 13:32:43 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 18 Sep 2012 09:33:54 -0400
In-reply-to: <20120918135445.13fc7cfe@xxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20120918135445.13fc7cfe@xxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Raviji:
> https://cryptoanarchy.org/wiki/Build_your_own_livething

That's a bit insufficient and some points clearly outdated, see below.

> 
> obfsproxy issue
> =================
> 
> I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia

You don't need pdnsd,ttdnsd,polipo. Vidalia is a nice optional graphical
user interface.

> I have already collected the obfs IP address from a running tor bundle and then placed all those
> at /etc/tor/torrc. tor is running with obfs.
> 
> [Q] How can I check online that obfs is functional ? https://check.torproject.org/ simply shows
> tor is running, but no obfs related information.

Someone else has to answer here.

> polipo and firewall
> =====================
> 
> Browsers configured to use polopo ( tor as parent) and the online check is successful (https://check.torproject.org/)
> 
> [Q] Is polipo really fast ? I hardly see any advantage comparing direct tor connection with out polipo.

You're on the wrong path. Don't use polipo / Firefox etc. anymore,
unless you want to stay out from all other Tor users. Use Tor Browser.
Details:
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers

> [Q] What is the iptables rule to redirect all 80 and 443 traffic through polipo 8118 port ? Then no configuration is
> required at browser level.

You don't need iptables for that. Tor is running on a Gateway. Tor
Browser without Tor/Vidalia started (patched startup script) is running
on another machine. (Which we call Workstation.)

Tor Button SOCKS Host: gateway IP, port: reserve one SocksPort in torrc
on Gateway exclusively for Tor Browser. Add some extra SocksPorts for
other applications. (stream isolation)

> DNS and firewall
> =================
> 
> I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp converter )

You don't need ttdnsd. I recommend using one SocksPorts per most, if not
all applications. If you still want some remaining traffic fallback you
can use Tor's excellent Dns- and TransPorts.

> 
> [Q] How can I enforce all udp to go through local DNS port and which one 53 or 8853 ?

For a "fetch remaining DNS traffic and route through Tor iptables rule"
have a look at
https://github.com/adrelanos/Whonix/blob/master/whonix_gateway/usr/local/bin/whonix_firewall
and search for "dns".

> 
> iptables to route all traffic and blocked all non tor
> ======================================================
> 
> LAN and lo (localhost) don't need to go through tor

You probable mess up there figuring out what is lan traffic for real and
what not. I strongly recommend the Tor-only box to have no local lan
traffic.

> port 80/443 should go through poliop port 8118,
> all dns query should go through local 53 ( or 8853 ? ) port

Like said before, forget about that plan. Don't use polipo.

> And the rest of the traffic should go through tor 9050 port, anything left should be dropped.
> The example iptables given at tails site is not working for me. Could anyone kindly give such a
> rule sets please ?

You can do it with virtual machines and/or physical isolation.

https://sourceforge.net/p/whonix/wiki/Home/
https://github.com/adrelanos/Whonix/
https://github.com/adrelanos/Whonix/blob/master/whonix_gateway/usr/local/bin/whonix_firewall
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] almost success toward complete tor enforcement, need little help now
  - From: Raviji

References:
- [tor-talk] almost success toward complete tor enforcement, need little help now
  - From: Raviji

Prev by Author: Re: [tor-talk] How dangerous are DNS leak?
Next by Author: Re: [tor-talk] almost success toward complete tor enforcement, need little help now
Previous by thread: [tor-talk] almost success toward complete tor enforcement, need little help now
Next by thread: Re: [tor-talk] almost success toward complete tor enforcement, need little help now
Index(es):
- Author
- Thread