Is it possible to firewall Tor traffic with a hardware firewall?

hikki at Safe-mail.net hikki at Safe-mail.net
Sat Oct 30 10:29:47 UTC 2010


To make side channel attacks more difficult, especially for those who 
don't use virtual machines to run their hidden services, I was thinking 
about using a hardware firewall between the Tor computer and the Internet modem.
The hardware firewall can do IP based blocking, meaning that you 
can decide what IP address the Tor computer can connect to only. 
Like adding custom entry nodes in the Tor's config file and then put 
those IP addresses in the hardware firewall's rules so you can only 
connect to those, and no other IP.

But there's a problem doing this. Sometimes Tor needs to connect to a 
directory server (if I've understood it right?) to update its directory list.
And it doesn't connect to your exclusive entry node list for that. 
It seems, from the firewall's internal log, that it tries a lot of random 
IP's for that. So eventually your Tor engine will stop working or you 
can't restart it as long as the firewall blocks all outgoing traffic 
except for your entry node's IP addresses.

Is there a way to make this possible, so you can IP filter your Tor 
computer and lock its connections only to your entry nodes and directory servers?
Or is this impossible?
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list