-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, On Wed, 2018-06-27 at 22:53 +0200, Peter Müller wrote: > Hello, > > for quite some time, IPFire includes Tor via Pakfire as an add-on. > > Trying to set up a Tor relay there, I stumbled into several problems > regarding firewall rule configuration: > > (a) Inbound > It turns out that Tor is not working correctly if GeoIP block is > active (this occurred after a reboot - strange). Of course, one > possibility is to disable GeoIP block at all, allow access to the > Tor relay ports, and deny any except those of legitimate countries > to other services on the firewall machine. You can use the normal firewall rules for a more granular configuration. The geoip filter comes first and then all the rest. Depending on how many countries you block here, Tor connectivity becomes a little bit useless. > Since this enlarges the ruleset (already quite complex here :-| ), > I am wondering if there is a more simple way to achieve this. We could move tor rules before the GeoIP filter, but I am not sure if that is very intuitive. > (b) Outbound > For security reasons (surprise!), outgoing connections are heavily > limited here - only DNS, NTP and web traffic is allowed, and only > to a certain list of countries. Some call that "racist routing"... > > This does not work with Tor since it needs to open connections to > almost any port on almost any IP address. Allowing outbound traffic > in general is out of question, so there seems to possibility left. > > Besides from running a Tor relay in the local DMZ and apply the > firewall rules for this machine, is there another way? Not that I am aware of. You can build something custom here by using the -m owner module of iptables and make an exception in the OUTPUT chain for the tor process. You just need a little script that puts the pid into it if you cannot check by uid. Best, - -Michael > > Thanks, and best regards, > Peter Müller -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls005wACgkQgHnw/2+Q CQe2QhAAryeVSpqKc5mJpMhlUE/LwnGGSJbn+eRfd/Buy6NXqPO2LXrh4H7ljr6D z3Q1N6h7Yc5J1bjRqxeYALl9kMpnudoPej0k600v2FwGxSqQaSEeriHSHkF63UK1 24zTf5ExjdmVqy9TGsjou1qgeg5XkxeG631vqBzay19Ts0zhA6RJmviCVJIxfMup ypg94t6hHgTTEqdPUo95gXRkkE7fkW0ZpBymDR5SUXuLu+Y7QCIPhvEoD2ttk3lt NVOKLmZkaK6VRzPk/ONT5Ia+xsO0zDIoe6Uf2D25Y7B4G7izCDJNNWyxe66ezkmU ji17aK/4rc3LvBl6zPNBO9SkCfHxy31HyguWoEBTBH4a8ytY3oGPW7KLZQw2ERxH nhQvC6vSEL86n4Q0BVf6xVEtaZITxLNiOVkBWEigdYY2FFJbCvrs0g6d/OG+VVWN Y9Ab9K8RVWD16qRoXoPf1SDOlpxhOSghVFW1y3ExSd7k+vdCgzYO+APIjEQAHSrE H63VZdJB14wieBEUDizYqb857OdUsNi4J91DevCZGQOsRDftzZCTXeVoV1pgcUbc ig81DFD0d6b1/1fZiQ0GQyy3vXl2h8NRAl+NZnfAMezZx5HyGcGAVRCS4siA+w0w NbSChIef8zY3+ke8Cm2MA6jO5fs7Xdf0eU99LPZEeDU4mQFOGxQ= =6Aha -----END PGP SIGNATURE-----