From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: In-/Outbound firewall configuration for Tor relay Date: Wed, 27 Jun 2018 22:53:25 +0200 Message-ID: <7fc21243-349c-94b2-4c18-59121e356715@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0375092348416399286==" List-Id: --===============0375092348416399286== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, for quite some time, IPFire includes Tor via Pakfire as an add-on. Trying to set up a Tor relay there, I stumbled into several problems regarding firewall rule configuration: (a) Inbound It turns out that Tor is not working correctly if GeoIP block is active (this occurred after a reboot - strange). Of course, one possibility is to disable GeoIP block at all, allow access to the Tor relay ports, and deny any except those of legitimate countries to other services on the firewall machine. Since this enlarges the ruleset (already quite complex here :-| ), I am wondering if there is a more simple way to achieve this. (b) Outbound For security reasons (surprise!), outgoing connections are heavily limited here - only DNS, NTP and web traffic is allowed, and only to a certain list of countries. Some call that "racist routing"... This does not work with Tor since it needs to open connections to almost any port on almost any IP address. Allowing outbound traffic in general is out of question, so there seems to possibility left. Besides from running a Tor relay in the local DMZ and apply the firewall rules for this machine, is there another way? Thanks, and best regards, Peter Müller -- "We don't care. We don't have to. We're the Phone Company." --===============0375092348416399286== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE SnlyUkxrMlVqeUQzMTduMmdGQWxzeitVVUFDZ2tRMlVqeUQzMTcKbjJnK1JRLytLRVdScjJCNVJh SUlNcGx1UHNYYWZJaUlMWllua1NMeEFGK2ZnZXNXVWJON2VkSDh5TmtPVnQraAphUmpKbTV5TEx3 VmhyRU83ZzVEOG1BZm8vQ0hZWEZCUmlCaHJtVThkLzJ4K0p6YThHNTc5OWtvKzNkc0ZidGNKClRn Y3FYVU4wdWFXclhERWEycG9zeTRHUlkrTVF6U2VPTWxzcTQ5WnoxWXY3bFFaSGFLTks0NkFQNkt3 TWZlRFUKbzBPQmhsMGduankxWTVDVUFIVkozUjNiOHpDVGZDQjBFT1FQUmtHMU9xRElCSWYyVWpr Sk9jeTFJM1BDNjJQZgo0U3ZwMitNdDZkai9aYmx6SDRtQUxhSlpOTDVFOXA1VGdMQlZ1cmR2Mm5s N0pDY01pRTQvdkJOckYyU0FNeksvClMzaGl2VG45OFpCVk5WWmoxVFpOL09qZVhqdVBEVVc0cUt1 RlQ1bFFoYUdoZHEwTTVCbTRlOGk4YXlBZ1UrdFUKYStYNzU3ZkQ3VHNqTEhCVFFyZGxpRUNWRXps aEorbHdtSldmeFVudC9HNkN0MUJON0hUV0l3OHlGU3BRUEhJUgpUS0FGQmZ5NXIxY1NhdjRydmh4 ZmVNMUg4TU5NWTh3WFdMb0w2aXFOQjg1TE9mWHVmekFxMzl1d054N3RHUTBkCmlXM0UxRTdQUitR YW1WeUNEczNLdWhkdXRqY2xkeTRDM04yVTREM3hObWVQL04yV0Zmc1lmMHcwTDZ0eUtXdjkKSlNk MWhXQi9FeTBDVEtCQ1RRbDUybjFnM0ttK3ZnNlF3eUZvM2tZZTk0V0NYT3orWGxSdXErUHR6ZlpN SkVHRwpSYkNMdi9CS3MzczIwYVFuYTAxV01VRmR1Yys1Y1N1bHJ0R05VL0lWU0cxZ0tZMnVrZzQ9 Cj1tRHVGCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============0375092348416399286==--