[tor-bugs] #10896 [Tor]: Add support for pf divert-to sockets

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 10 22:39:31 UTC 2014


#10896: Add support for pf divert-to sockets
-----------------------------+--------------------------------
     Reporter:  _x3j11       |      Owner:
         Type:  enhancement  |     Status:  needs_review
     Priority:  normal       |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  025-triaged
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------

Comment (by _x3j11):

 I hope the following is useful; for the record and for reproducibility,
 here is my testing methodology for OpenBSD and both styles of `pf` rules
 (I have not tested `ipfw` on FreeBSD, but maybe someone can make use of
 this?).

 There are four cases to look at, where the torrc is set up for `rdr-to`
 rules/`divert-to` rules, and whether the system's firewall is set up for
 `rdr-to` rules/`divert-to` rules.

 Set up an OpenBSD VM or similar at IP address `<addr>`, and set `sysctl -w
 net.inet.ip.forwarding=1`.

 Call `torrc-rdr`:
 {{{
 User foo
 DataDirectory /home/foo/.tor
 TransListenAddress 127.0.0.1
 TransPort 9999
 }}}

 Call `torrc-divert`:
 {{{
 TransListenAddress 127.0.0.1
 TransPort 9999
 TransProxyType pf-divert
 }}}

 Call `pf-rdr.conf`, supposing <addr> is on <netblock> (eg.,
 192.168.0.0/24):
 {{{
 set skip on lo
 pass in quick from any to ! <netblock> rdr-to 127.0.0.1 port 9999
 }}}

 Call `pf-divert.conf`:
 {{{
 set skip on lo
 pass in quick from any to ! <netblock> divert-to 127.0.0.1 port 9999
 }}}

 From a different machine on the network, set its default route to this VM.

 Then:

 * case 1: torrc-divert and pf-rdr.conf: expected fail.
   * start tor with `<path-to-tor>/tor -f torrc-divert`
   * Make a test connection (from the other machine) `lynx
 check.torproject.org`.
   * An error message is logged ("Rejecting request for anonymous
 connection..." IIRC)
   * (failed, as expected)

 * case 2: torrc-rdr and pf-rdr.conf: expected success.
   * start tor with `sudo <path-to-tor>/tor -f torrc-rdr`
   * Make a test connection (from the other machine) `lynx
 check.torproject.org`.
   * Should succeed (as expected)

 * case 3: torrc-divert and pf-divert.conf: expected success.
   * start tor with `<path-to-tor>/tor -f torrc-divert`
   * Make a test connection (from the other machine) `lynx
 check.torproject.org`.
   * Should succeed (as expected)

 * case 4: torrc-rdr and pf-divert.conf: doesn't matter (if it succeeds,
 migration of pf.conf is seamless, otherwise, it fails, torrc and pf.conf
 need to be migrated together.)
   * start tor with `sudo <path-to-tor>/tor -f torrc-rdr`
   * Make a test connection (from the other machine) `lynx
 check.torproject.org`.
   * (On testing on OpenBSD 5.4, this succeeds, but that may not be the
 case on earlier versions?)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10896#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list