[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] restricting output to the tor process, when using Tor browser



OK, so I don't use standalone Tor browser, just in Whonix.

And when I use Tor in Debian, I use iptables rules like:


*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
-A OUTPUT -j DROP

COMMIT


But, in a Debian VM running Tor browser, I found that the tor process is
running as the login user. And so iptables is totally useless.

However, it's apparently easy to start Tor browser as its own user,
using Micah Lee's torbrowser-launcher.[0] Is that a prudent solution?

0)
https://medium.com/@jamesmacwhite/running-the-tor-browser-on-kali-linux-the-proper-way-d33a38b54e96
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk