<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div>On 27 Nov 2014, at 21:02, Fabian Keil <<a href="mailto:freebsd-listen@fabiankeil.de">freebsd-listen@fabiankeil.de</a>> wrote:<br><br></div><blockquote type="cite"><div><span>George Rosamond <<a href="mailto:george@ceetonetechnology.com">george@ceetonetechnology.com</a>> wrote:</span><br><span></span><br><blockquote type="cite"><span>teor:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>1. blocking what shouldn't be listening, assuming "block" is high up in</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>your ruleset. I have a box that localhost was at 127.0.0... other than</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>.1. Therefore, a hidden service wasn't hidden.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>George,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Is this a bug in tor where it only considers 127.0.0.1 local?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Or a configuration bug in the hidden service torrc?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Or something else?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Good question.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>If a web server is configured to listen on localhost, and the torrc sets</span><br></blockquote><blockquote type="cite"><span>localhost for listening for hidden traffic, then it shouldn't. But if</span><br></blockquote><blockquote type="cite"><span>you set 127.0.0.1 (instead of localhost) and that's not the localhost</span><br></blockquote><blockquote type="cite"><span>address, then the problem arose.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I'd have to test it again, but in that case it was a FreeBSD jail.</span><br></blockquote><span></span><br><span>If you aren't using VIMAGE[1], binding to 127.0.0.1 in a FreeBSD jail</span><br><span>binds to the jail's IP address (which may be accessible from the network):</span><br><span></span><br><span>fk@r500 ~ $sudo jexec -u _tor 1 grep 127 /usr/local/etc/tor/torrc</span><br><span>TransListenAddress 127.0.0.1</span><br><span>SocksListenAddress 127.0.0.1</span><br><span>ControlListenAddress 127.0.0.1</span><br><span>fk@r500 ~ $sudo jexec 1 sockstat -4l | grep _tor</span><br><span>_tor tor 939 5 tcp4 10.0.0.2:9050 *:*</span><br><span>_tor tor 939 6 tcp4 10.0.0.2:9048 *:*</span><br><span>_tor tor 939 7 tcp4 10.0.0.2:9049 *:*</span><br><span>_tor tor 939 8 udp4 10.0.0.2:53 *:*</span><br><span>_tor tor 939 9 tcp4 10.0.0.2:9040 *:*</span><br><span>_tor tor 939 10 tcp4 10.0.0.2:9051 *:*</span><br><span></span><br><span>That's a documented and IMHO useful jail feature.</span><br><span></span><br><span>Fabian</span><br><span></span><br><span>[1] I haven't actually tested that this doesn't apply to VIMAGE,</span><br><span>I just assume it doesn't.</span></div></blockquote><div><br></div><div>So a misconfiguration in an unusual environment, not a bug in tor.</div><div><br></div><div>As far as I know, tor blacklists 127.0.0.1:</div><div>* in the default exit policy (127./8:*)</div><div>* in the IPv4 address autodetection code</div><div><br></div><div>Both of these scenarios can be overridden by an explicit torrc configuration, although the first probably shouldn't be.</div><br><div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><span style="background-color: rgba(255, 255, 255, 0);">teor<br>pgp 0xABFED1AC<br><a href="hkp://pgp.mit.edu/">hkp://pgp.mit.edu/</a></span></div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);"><a href="https://gist.github.com/teor2345/d033b8ce0a99adbc89c5">https://gist.github.com/teor2345/d033b8ce0a99adbc89c5</a><br><a href="http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx</a></span></font></div><div><br></div><div><br></div></div><div><br></div></div></body></html>