Re: In-/Outbound firewall configuration for Tor relay

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2872 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

On Wed, 2018-06-27 at 22:53 +0200, Peter Müller wrote:
> Hello,
> 
> for quite some time, IPFire includes Tor via Pakfire as an add-on.
> 
> Trying to set up a Tor relay there, I stumbled into several problems
> regarding firewall rule configuration:
> 
> (a) Inbound
> It turns out that Tor is not working correctly if GeoIP block is
> active (this occurred after a reboot - strange). Of course, one
> possibility is to disable GeoIP block at all, allow access to the
> Tor relay ports, and deny any except those of legitimate countries
> to other services on the firewall machine.

You can use the normal firewall rules for a more granular configuration.

The geoip filter comes first and then all the rest. Depending on how many
countries you block here, Tor connectivity becomes a little bit useless.

> Since this enlarges the ruleset (already quite complex here :-| ),
> I am wondering if there is a more simple way to achieve this.

We could move tor rules before the GeoIP filter, but I am not sure if that is
very intuitive.

> (b) Outbound
> For security reasons (surprise!), outgoing connections are heavily
> limited here - only DNS, NTP and web traffic is allowed, and only
> to a certain list of countries. Some call that "racist routing"...
> 
> This does not work with Tor since it needs to open connections to
> almost any port on almost any IP address. Allowing outbound traffic
> in general is out of question, so there seems to possibility left.
> 
> Besides from running a Tor relay in the local DMZ and apply the
> firewall rules for this machine, is there another way?

Not that I am aware of.

You can build something custom here by using the -m owner module of iptables and
make an exception in the OUTPUT chain for the tor process. You just need a
little script that puts the pid into it if you cannot check by uid.

Best,
- -Michael

> 
> Thanks, and best regards,
> Peter Müller
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls005wACgkQgHnw/2+Q
CQe2QhAAryeVSpqKc5mJpMhlUE/LwnGGSJbn+eRfd/Buy6NXqPO2LXrh4H7ljr6D
z3Q1N6h7Yc5J1bjRqxeYALl9kMpnudoPej0k600v2FwGxSqQaSEeriHSHkF63UK1
24zTf5ExjdmVqy9TGsjou1qgeg5XkxeG631vqBzay19Ts0zhA6RJmviCVJIxfMup
ypg94t6hHgTTEqdPUo95gXRkkE7fkW0ZpBymDR5SUXuLu+Y7QCIPhvEoD2ttk3lt
NVOKLmZkaK6VRzPk/ONT5Ia+xsO0zDIoe6Uf2D25Y7B4G7izCDJNNWyxe66ezkmU
ji17aK/4rc3LvBl6zPNBO9SkCfHxy31HyguWoEBTBH4a8ytY3oGPW7KLZQw2ERxH
nhQvC6vSEL86n4Q0BVf6xVEtaZITxLNiOVkBWEigdYY2FFJbCvrs0g6d/OG+VVWN
Y9Ab9K8RVWD16qRoXoPf1SDOlpxhOSghVFW1y3ExSd7k+vdCgzYO+APIjEQAHSrE
H63VZdJB14wieBEUDizYqb857OdUsNi4J91DevCZGQOsRDftzZCTXeVoV1pgcUbc
ig81DFD0d6b1/1fZiQ0GQyy3vXl2h8NRAl+NZnfAMezZx5HyGcGAVRCS4siA+w0w
NbSChIef8zY3+ke8Cm2MA6jO5fs7Xdf0eU99LPZEeDU4mQFOGxQ=
=6Aha
-----END PGP SIGNATURE-----