From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: In-/Outbound firewall configuration for Tor relay Date: Thu, 28 Jun 2018 13:24:59 +0100 Message-ID: In-Reply-To: <7fc21243-349c-94b2-4c18-59121e356715@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3572939022690907941==" List-Id: --===============3572939022690907941== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, On Wed, 2018-06-27 at 22:53 +0200, Peter M=C3=BCller wrote: > Hello, >=20 > for quite some time, IPFire includes Tor via Pakfire as an add-on. >=20 > Trying to set up a Tor relay there, I stumbled into several problems > regarding firewall rule configuration: >=20 > (a) Inbound > It turns out that Tor is not working correctly if GeoIP block is > active (this occurred after a reboot - strange). Of course, one > possibility is to disable GeoIP block at all, allow access to the > Tor relay ports, and deny any except those of legitimate countries > to other services on the firewall machine. You can use the normal firewall rules for a more granular configuration. The geoip filter comes first and then all the rest. Depending on how many countries you block here, Tor connectivity becomes a little bit useless. > Since this enlarges the ruleset (already quite complex here :-| ), > I am wondering if there is a more simple way to achieve this. We could move tor rules before the GeoIP filter, but I am not sure if that is very intuitive. > (b) Outbound > For security reasons (surprise!), outgoing connections are heavily > limited here - only DNS, NTP and web traffic is allowed, and only > to a certain list of countries. Some call that "racist routing"... >=20 > This does not work with Tor since it needs to open connections to > almost any port on almost any IP address. Allowing outbound traffic > in general is out of question, so there seems to possibility left. >=20 > Besides from running a Tor relay in the local DMZ and apply the > firewall rules for this machine, is there another way? Not that I am aware of. You can build something custom here by using the -m owner module of iptables = and make an exception in the OUTPUT chain for the tor process. You just need a little script that puts the pid into it if you cannot check by uid. Best, - -Michael >=20 > Thanks, and best regards, > Peter M=C3=BCller -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls005wACgkQgHnw/2+Q CQe2QhAAryeVSpqKc5mJpMhlUE/LwnGGSJbn+eRfd/Buy6NXqPO2LXrh4H7ljr6D z3Q1N6h7Yc5J1bjRqxeYALl9kMpnudoPej0k600v2FwGxSqQaSEeriHSHkF63UK1 24zTf5ExjdmVqy9TGsjou1qgeg5XkxeG631vqBzay19Ts0zhA6RJmviCVJIxfMup ypg94t6hHgTTEqdPUo95gXRkkE7fkW0ZpBymDR5SUXuLu+Y7QCIPhvEoD2ttk3lt NVOKLmZkaK6VRzPk/ONT5Ia+xsO0zDIoe6Uf2D25Y7B4G7izCDJNNWyxe66ezkmU ji17aK/4rc3LvBl6zPNBO9SkCfHxy31HyguWoEBTBH4a8ytY3oGPW7KLZQw2ERxH nhQvC6vSEL86n4Q0BVf6xVEtaZITxLNiOVkBWEigdYY2FFJbCvrs0g6d/OG+VVWN Y9Ab9K8RVWD16qRoXoPf1SDOlpxhOSghVFW1y3ExSd7k+vdCgzYO+APIjEQAHSrE H63VZdJB14wieBEUDizYqb857OdUsNi4J91DevCZGQOsRDftzZCTXeVoV1pgcUbc ig81DFD0d6b1/1fZiQ0GQyy3vXl2h8NRAl+NZnfAMezZx5HyGcGAVRCS4siA+w0w NbSChIef8zY3+ke8Cm2MA6jO5fs7Xdf0eU99LPZEeDU4mQFOGxQ=3D =3D6Aha -----END PGP SIGNATURE----- --===============3572939022690907941==--