[tor-bugs] #10896 [Tor]: Add support for pf divert-to sockets
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 10 22:39:31 UTC 2014
#10896: Add support for pf divert-to sockets
-----------------------------+--------------------------------
Reporter: _x3j11 | Owner:
Type: enhancement | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: 025-triaged
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------------
Comment (by _x3j11):
I hope the following is useful; for the record and for reproducibility,
here is my testing methodology for OpenBSD and both styles of `pf` rules
(I have not tested `ipfw` on FreeBSD, but maybe someone can make use of
this?).
There are four cases to look at, where the torrc is set up for `rdr-to`
rules/`divert-to` rules, and whether the system's firewall is set up for
`rdr-to` rules/`divert-to` rules.
Set up an OpenBSD VM or similar at IP address `<addr>`, and set `sysctl -w
net.inet.ip.forwarding=1`.
Call `torrc-rdr`:
{{{
User foo
DataDirectory /home/foo/.tor
TransListenAddress 127.0.0.1
TransPort 9999
}}}
Call `torrc-divert`:
{{{
TransListenAddress 127.0.0.1
TransPort 9999
TransProxyType pf-divert
}}}
Call `pf-rdr.conf`, supposing <addr> is on <netblock> (eg.,
192.168.0.0/24):
{{{
set skip on lo
pass in quick from any to ! <netblock> rdr-to 127.0.0.1 port 9999
}}}
Call `pf-divert.conf`:
{{{
set skip on lo
pass in quick from any to ! <netblock> divert-to 127.0.0.1 port 9999
}}}
From a different machine on the network, set its default route to this VM.
Then:
* case 1: torrc-divert and pf-rdr.conf: expected fail.
* start tor with `<path-to-tor>/tor -f torrc-divert`
* Make a test connection (from the other machine) `lynx
check.torproject.org`.
* An error message is logged ("Rejecting request for anonymous
connection..." IIRC)
* (failed, as expected)
* case 2: torrc-rdr and pf-rdr.conf: expected success.
* start tor with `sudo <path-to-tor>/tor -f torrc-rdr`
* Make a test connection (from the other machine) `lynx
check.torproject.org`.
* Should succeed (as expected)
* case 3: torrc-divert and pf-divert.conf: expected success.
* start tor with `<path-to-tor>/tor -f torrc-divert`
* Make a test connection (from the other machine) `lynx
check.torproject.org`.
* Should succeed (as expected)
* case 4: torrc-rdr and pf-divert.conf: doesn't matter (if it succeeds,
migration of pf.conf is seamless, otherwise, it fails, torrc and pf.conf
need to be migrated together.)
* start tor with `sudo <path-to-tor>/tor -f torrc-rdr`
* Make a test connection (from the other machine) `lynx
check.torproject.org`.
* (On testing on OpenBSD 5.4, this succeeds, but that may not be the
case on earlier versions?)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10896#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list