funneling a wireless net's outbound connections through tor
Scott Bennett
bennett at cs.niu.edu
Mon Oct 1 06:48:23 UTC 2007
On Mon, 01 Oct 2007 03:33:46 +0200 Juliusz Chroboczek
<Juliusz.Chroboczek at pps.jussieu.fr> wrote:
> [I, Scott Bennett, wrote:]
>> I'm trying to set up a free wireless service for those of my neighbors
>> within range of a little wireless router I have. To keep things safe for
>> me and at least somewhat safer for them, I want to route all the outbound
>> connections from that router through tor using pf under FreeBSD 6.2-STABLE
>> (i386).
>
>Do not do that.
I am going to do that and as soon as I can figure out how to do it
correctly.
>
>You should not make traffic go transparently through tor, unless the
>people using your network fully understand what tor is about, and what
>are the associated security risks (such as exit nodes performing MITM
>attacks on SSL certificates).
Thank you for your opinion, but it was not particularly relevant to
what I posted.
First, please reread what I wrote. I will be providing a *free
wireless access* service to my neighbors. Even if I tell them *nothing*,
they will be better off than without the service. They do not even have
to know that it is going through any sort of anonymizing process. Just
the fact that they will have a free, if rather pokey, service available
will be an enhancement to my neighborhood.
Second, tor 0.1.2.2 and up are designed to do this. See the torrc
line called TransPort. tor 0.2.0.1 and up are designed to do this without
the earlier necessity of providing a name service proxy. See the torrc
line called DNSPort.
Third, you didn't even ask whether I might have already given some
thought to the matter of educating/informing my neighbors about how their
TCP connections and name server queries will be reaching the Internet and
how responses will be returned from the Internet. I have been planning
this service for quite some time.
Fourth, my primary motivation for running my neighbors' connections
through tor is to protect *me* from whatever *they* are doing. The fact
that routing their connections through tor should also give *them* some
protection is a purely secondary benefit.
I am now in the process of trying to get it to work. If anyone knows
the answers to the questions I posted, I would still appreciate your
information.
>
>Instead, put a simple stateless firewall on your network, and redirect
>port 80 traffic to a web server that explains how to set up their web
>browser to go through tor.
That would defeat the purpose of providing free wireless TCP access
to the Internet.
>
>Please make sure that your HTTP proxy allows CONNECT to TCP ports 22,
>80, 109-110, 143, 443, 873, 993 and 995. 22 is especially important
>if there are any geeks in your neighbourhood.
>
My HTTP proxy is privoxy and will continue to provide service only
to me. It is quite possible that I will never have any direct
communication with many of my neighbors, so requiring them to reconfigure
their applications, which may include more than mere web browsers, to use
an HTTP proxy is out of the question. It also would not be of any use
to network applications that do not use HTTP.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-talk
mailing list