[tor-bugs] #18693 [Tor]: New SOCKS port restriction to only allow connections to .onion
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 31 14:31:14 UTC 2016
#18693: New SOCKS port restriction to only allow connections to .onion
---------------------------+------------------------------
Reporter: ioerror | Owner:
Type: enhancement | Status: new
Priority: Very Low | Milestone: Tor: 0.2.???
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, socks | Actual Points:
Parent ID: | Points: small
Reviewer: | Sponsor:
---------------------------+------------------------------
Comment (by teor):
Please see my branch feature-18693-v3 at
https://github.com/teor2345/tor.git
It implements the OnionTrafficOnly Port flag, which disables all non-onion
sites through that port.
It can be tested using:
`src/or/tor DataDirectory /tmp/tor.$$ SOCKSPort "12345 OnionTrafficOnly"`
Implementation details:
* Adds the NoDNSRequest flag, which refuses requests for non-onion
hostnames
* Modifies the NoIPv4Traffic and NoIPv6Traffic flags so they refuse
connections earlier, before attaching a stream
* Adds the OnionTrafficOnly flag, which sets NoDNSRequest, NoIPv4Traffic,
and NoIPv6Traffic, refusing all non-onion requests
* Stops Tor's existing behaviour of allowing IPv4 and IPv6 traffic on all
non-SOCKS Ports. This makes this feature usable with TransPort and
NATDPort
* Adds some unit tests and a manual page update
* A few comment and non-functional tweaks
Features you didn't ask for:
* Adds the NoOnionTraffic flag, which disables requests for onion
hostnames (for completeness)
If this works for you, let me know (and do a code review!), and I can ask
Nick and Isabela if we can get it in 0.2.9.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18693#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list