[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] hardening a tor relay



On 5/21/2014 7:38 PM, Moritz Bartl wrote:
> The problem with selective filters for outgoing traffic is that Tor
> needs to be able to connect to all other Tor relays, some of which use
> non-standard ports. 

One could add a rule to the OUTPUT chain that allows all traffic from
the tor user (or uid). This allows one to maintain non-tor related
outbound rules without interfering with tor itself. On a hypothetical
system where the uid under which tor runs is 501 an iptables rule like
this should work:

iptables -I OUTPUT -p tcp -m owner --uid-owner 501 -j ACCEPT

One resource for ideas on how to harden a system is the NSA. I for one
have referenced these two docs on more than one occasion (clearnet
links) and they can be adopted conceptually into many other distros:

http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf

-- 
Morgan Smith | IntersafeIT
Phone/Fax: +1 (888) 623-7444
morgan@xxxxxxxxxxxxxxx
www.intersafeit.com   | intersafewhe4eoy.onion
Twitter: @IntersafeIT | GnuPG ID: 9CDD26C7

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays