From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: In-/Outbound firewall configuration for Tor relay Date: Thu, 28 Jun 2018 19:14:11 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3982668540148435909==" List-Id: --===============3982668540148435909== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for the clarification. > Hello, >=20 > On Wed, 2018-06-27 at 22:53 +0200, Peter M=C3=BCller wrote: >> Hello, >=20 >> for quite some time, IPFire includes Tor via Pakfire as an add-on. >=20 >> Trying to set up a Tor relay there, I stumbled into several problems >> regarding firewall rule configuration: >=20 >> (a) Inbound >> It turns out that Tor is not working correctly if GeoIP block is >> active (this occurred after a reboot - strange). Of course, one >> possibility is to disable GeoIP block at all, allow access to the >> Tor relay ports, and deny any except those of legitimate countries >> to other services on the firewall machine. >=20 > You can use the normal firewall rules for a more granular configuration. >=20 > The geoip filter comes first and then all the rest. Depending on how many > countries you block here, Tor connectivity becomes a little bit useless. Indeed. And I block many... :-) >=20 >> Since this enlarges the ruleset (already quite complex here :-| ), >> I am wondering if there is a more simple way to achieve this. >=20 > We could move tor rules before the GeoIP filter, but I am not sure if that = is > very intuitive. I do not think so since users may expect anything is blocked then and wonder why Tor still works fine. We should keep firewall things intentional in order not to puzzle users. OK, incoming way is solved then. >=20 >> (b) Outbound >> For security reasons (surprise!), outgoing connections are heavily >> limited here - only DNS, NTP and web traffic is allowed, and only >> to a certain list of countries. Some call that "racist routing"... >=20 >> This does not work with Tor since it needs to open connections to >> almost any port on almost any IP address. Allowing outbound traffic >> in general is out of question, so there seems to possibility left. >=20 >> Besides from running a Tor relay in the local DMZ and apply the >> firewall rules for this machine, is there another way? >=20 > Not that I am aware of. >=20 > You can build something custom here by using the -m owner module of iptable= s and > make an exception in the OUTPUT chain for the tor process. You just need a > little script that puts the pid into it if you cannot check by uid. Hm, I never used the "owner" module before... I guess these custom firewall will need to be placed in "firewall.local" (https://wiki.ipfire.org/configuration/firewall/firewall.local)? According to the firewall processing scheme (https://wiki.ipfire.org/_media/configuration/firewall/ipfire_fw_chains.jpg), it is processed before anything else, so this would suit. Will test this and get back if problems occur. >=20 Best regards, Peter M=C3=BCller --=20 "We don't care. We don't have to. We're the Phone Company." --===============3982668540148435909== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE SnlyUkxrMlVqeUQzMTduMmdGQWxzMUYyb0FDZ2tRMlVqeUQzMTcKbjJqWktRLy9aU0tsYlFSVlpR YXdKR25MUUxVcVgxMHpMRlRSZUJOU0lGT1FKTTF0a1J1Nlo3cUliOE92YWhsSwpvWUUyWmR3dWVz WDRzVmRKNFp2WGRHSkthMXN3Z1lpQWMyTE9ha1BQTXdyNGg0REdFUzNvaTZwcmxjOXBXQnMyCjgw RnhqbHJUaFRpVHZPdXdrN2lucXdCYzMwcTJXNHg3ampPNDg1RzdLMUNrVktGUDdVQm40aUxoS3NZ VnQ0RGoKdXVMKzRaVTNGTjZLbTNyaDZPK2k2YldLWXRJR21VU2ROT0lMRlRIa3hxcEhYdVkwK2JX SWN3TUE1UTRBeUpqbgpLYldNWVc2ZlRFWVozZXZtRjEzWmcrRHA4Y0FZczJXY3JkK3NKR2R5bkJJ RFJERzVqbzU2eEZ4a3dUNTFxVG9yCjhEWWVKcnBqQ1FSaFIvdVNGemg4aXR2dWlzcTFrTXpld0Z0 VGFsRWxwWFdURDlaeDYzTXVwM2xEcktUSHRKMk4KZDNrSGJONkRNQWFmOGNGNHdWUTM5WngxOHZE T0U1Z3lvaHJoa1ZPNXZXaEdLdWYvcWVJcEVmOGhpRlI4Z2E0dgpNWnZoeThmSDB0eGpySFZrQUE0 TFRONjBtc3h3TWFBVzVTZ3d1VDFRaENtQTlzU0haZ215UURKVG1iN3o2TlZoCkZOeUZGWTlNUUFP VXhFQ2tSOFFjMlZxcGRsdlhKaGxKVnUvOU52NHUvekpRUDc3VUhtdEdITFpuZERFWlUzSVAKRWpM cGRyQ0NubnhpNklsMEJXd2RrTmd6WkhIdGpiMXpMdm1oQWhKMHhhNTUrVXAwVVIxcUppcTd5TlQ2 cHFOeQpoQWQ3S3NXUEUxYk8zWE9JTWRhK1g2SkdVNndicWs5NW55UytCRGVEa0JvRDMrK2RtT2M9 Cj03STBVCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3982668540148435909==--