TransPort, DNSPort, and pf
Scott Bennett
bennett at cs.niu.edu
Fri Dec 31 06:53:10 UTC 2010
I am attempting to set up a LAN with Internet access via tor for machines
that do not have tor installed by using TransPort, DNSPort, and a couple of
rdr rules in pf. In torrc, I have
TransPort 9040
TransListenAddress 127.0.0.1:9040
DNSPort 1053
DNSListenAddress 127.0.0.1:1053
In an anchor defined in /etc/pf.conf as
rdr-anchor intrdrs
load anchor intrdrs from "/etc/pf.int.rdrs"
the file /etc/pf.int.rdrs contains
int_ifb="axe0"
internal_net_a="192.168.3.0/24"
localhost_addr="127.0.0.1"
rdr on $int_ifa proto tcp from $internal_net_a to ! ($int_ifa) -> $localhost_addr port 9040
rdr on $int_ifa proto udp from $internal_net_a to ! ($int_ifa) port domain -> $localhost_addr port 1053
Testing the torrc goes like this:
hellas# su _tor
$ tor --verify-config
Dec 30 23:33:41.799 [notice] Tor v0.2.2.17-alpha (git-dadd9608d2720368). This is experimental software. Do not rely on it for strong anonymity. (Running on FreeBSD i386)
Dec 30 23:33:41.817 [warn] open("/dev/pf") failed: Permission denied
Dec 30 23:33:41.818 [warn] Failed to parse/validate config: Unable to open /dev/pf for transparent proxy.
Dec 30 23:33:41.818 [err] Reading config failed--see warnings above.
My first question is, why does tor want to open /dev/pf when all packets
from the internal network are redirected to tor on the loopback interface
anyway? To get tor to stop complaining, I had to change the group of /dev/pf
from wheel to _tor and change the device's permissions from 600 to 660. It
seems to me that neither should be necessary and that tor should not access
/dev/pf.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-relays
mailing list