Re: [tor-relays] What IPs does Torbrowser need?

Subject: Re: [tor-relays] What IPs does Torbrowser need?

From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>

Date: Sun, 20 Mar 2016 10:20:33 +1100

Delivery-date: Sat, 19 Mar 2016 19:20:52 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=oSX2eQbVHD1uyL6Jw2YVgh/YUJKOnjRQIYM8s4vAlPs=; b=S7a1/SEEzcJy/5fKGD+eoKnsevVHKO+tBClwQXV1F6nhpXbWS570wNQbe+6cSrryxF Fv5VdURoHqXZKNei0F2iiMy3bpwkd3tAslCjQF5qy1NkkVQDU+127dxElLs5TPAgSuwD z+fIxjo49UZjTQbYy2z+F4wzlAPvoFiGvOZZcZwZUqhqYXdVgeLkJzIig7WeiQPC206U HmgNmr30hejEqmL5V5Eo7W3Z9g1oEK5b+RyDmxLXJofGsetvtpSCIXPcvrpgUyHyNba6 a7xHqVDdyU1rgO0YMEQPK3Lh4oll47Apm7eKXggahMOpBOvr1Mj5vlyi8LYBB3T/VH10 7QOw==

In-reply-to: <56E81C04.4090303@xxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <56E81C04.4090303@xxxxxxxxx>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 16 Mar 2016, at 01:28, Martin Kepplinger <martink@xxxxxxxxx> wrote:

Hi

Imagine a router that want to only whitelist the IP addresses that
Torbrowser needs to work. What IPs would it need (for start up and
browsing) ?

* Guards

During normal operation after bootstrapping.

* Authorities

For bootstrapping.

As of 0.2.8.1-alpha, each release has a different list of fallback directory mirrors.

If they're not whitelisted, initial bootstrap will be delayed for around 10 seconds, then tor will try an authority.

* HSDir flagged relays (?)

Shouldn't be required, all connections go through a 3-hop circuit that starts at a guard.

and would such a whitelisting of IPs even work?

Yes, this kind of whitelisting of addresses used by tor worked quite well when I was testing the fallback directory mirror and IPv6 client bootstrap features. (I would block or allow certain addresses, then make sure tor behaved sensibly.)

At least I think DNS can
be ignored as it is routed over Tor too.

Server DNS names are sent to the Tor Client as part of the SOCKS 5 protocol.

The Tor Client sends the server name to the Exit.

Then DNS resolution is performed by the Exit.

So technically, there are no DNS packets until the Exit queries its DNS servers for the server name provided by the client.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays