Yet another UDP / DNS quiestion...
Tomasz Moskal
ramshackle.industries at gmail.com
Sun Feb 13 18:50:19 UTC 2011
> Could you describe your use case + thread model?
I'm terrible sorry for chaos I'm causing but right now I'm a very small
and confused person :-) Let me start from the beginning...
I'm using Privoxy + Tor combination. For Privoxy to properly handle
TCP/HTTP requests and send them over Tor network I have "listen-address
127.0.0.1:8118" in my /etc/privoxy/config. Then, to make sure that
Privoxy will be used globally, I added those four lines
to /etc/environment:
http_proxy="http://127.0.0.1:8118/"
https_proxy="https://127.0.0.1:8118/"
HTTP_PROXY=$http_proxy
HTTPS_PROXY=$https_proxy
Now all TCP/HTTP traffic should go through Privoxy -> Tor combination,
at least in theory. As I understand Wireshark is the tool I should use
to verify if that is what is happening in reality. I compiled Wireshark
but don't understand yet how to use it so I will come back to verify
routing of TCP/HTTP when I understand what I'm doing.
Next, I tried to use torsocks to make sure UDP/DNS requests are resolved
through Tor. To accomplish that I added to /etc/privoxy/config
forward-socks4a / 127.0.0.1:9050 .
forward-socks5 / 127.0.0.1:9050 .
My /etc/torsocks.conf looks like this:
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
local = 169.254.0.0/255.255.0.0
local = 172.16.0.0/255.240.0.0
local = 192.168.0.0/255.255.0.0
server = 127.0.0.1
server_port = 9050
But I have two problems with using torsocks:
1. Not all applications seems to be working with it, for example when I
try "usewithtor empathy" I'm getting "Segmentation fault". Which is
probably due to the problems with rejecting UDP:
torsocks allows you to use most socks-friendly applications in a safe
way with Tor. It ensures that DNS requests are handled safely and
explicitly rejects UDP traffic from the application you're using. (from
<https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorifyHOWTO>)
2. I would need to "usewithtor" every single application on my system to
make sure DNS requests are resolved through Tor.
Then I came around Transparently Routing Traffic Through Tor
<https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy>. And this is where more confusion and problems started! What I want to achieve with this wiki is to make sure all UDP/DNS request will be send through Tor. Now I intend to follow Local Redirection Through Tor from mentioned wiki to the letter and that will hopefully resolve the case of leaking DNS.
> # Block/reject all outgoing UDP traffic
> > iptables -A OUTPUT -j REJECT
> This rule does not block UDP only, it rejects all traffic including
UDP
> (if a packets makes its way to the last line).
>
So if I will go ahead with set-up from Local Redirection Through Tor it
will allow out just the traffic going through Tor stopping any and every
kind of no-Tor traffic from leaving my machine. But if I want to allow
traffic from certain applications I could do it by setting up exception
in iptables, right? And furthermore, with this solution there will be no
need for me to use torsocks any more, yes?
> > iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT
> Why did you add -p udp here? Tor uses TCP.
>
My mistake! Fixed now.
> I'm wondering why one would want to setup DNSPort configuration without
> TransPort.
That will be lack of knowledge on my part, I missunderstood informations
from wiki. I got confused by this comment
<http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls#comment-80205> which doesn't mention TransPort and thus I thought it is not necessary.
>
> I wonder why your uid should be different everytime you reboot, but you
> can also use the name of the user instead of the numerical value.
>
Well I can't tell you why but that how it is. To double check I rebooted
twice just now and "ps -A | grep -w tor" each time gave me different UID
for tor.
--
Tomasz Moskal <ramshackle.industries at gmail.com>
Encrypted mail preferred. Key ID: 2C323C82
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110213/23301ec3/attachment.pgp>
More information about the tor-talk
mailing list