<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><blockquote type="cite">1. blocking what shouldn't be listening, assuming "block" is high up in<br>your ruleset. I have a box that localhost was at 127.0.0... other than<br>.1. Therefore, a hidden service wasn't hidden.<span class="AppleTemporaryEditingElement" id="x-apple-selection:end"></span></blockquote></span><div><br></div>George,</div><div><br>Is this a bug in tor where it only considers 127.0.0.1 local?</div><div>Or a configuration bug in the hidden service torrc?</div><div>Or something else?</div><div><br><br><div style="-webkit-text-size-adjust: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><span style="background-color: rgba(255, 255, 255, 0);">teor<br>pgp 0xABFED1AC<br><a href="hkp://pgp.mit.edu/">hkp://pgp.mit.edu/</a></span></div><div style="-webkit-text-size-adjust: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);"><a href="https://gist.github.com/teor2345/d033b8ce0a99adbc89c5">https://gist.github.com/teor2345/d033b8ce0a99adbc89c5</a><br><a href="http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx</a></span></font></div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;"><br></div></div><div style="-webkit-text-size-adjust: auto;"><br>On 27 Nov 2014, at 8:28, George Rosamond <<a href="mailto:george@ceetonetechnology.com">george@ceetonetechnology.com</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto;"><div><span>Libertas:</span><br><blockquote type="cite"><span>I'm very new to packet filters and firewalls, but I'm wondering how</span><br></blockquote><blockquote type="cite"><span>much security this really offers. I feel like allowing a large,</span><br></blockquote><blockquote type="cite"><span>dynamically updated list of outgoing ports probably doesn't do much as</span><br></blockquote><blockquote type="cite"><span>compared to just allowing everything. Can anyone give an example case</span><br></blockquote><blockquote type="cite"><span>in which this would help?</span><br></blockquote><span></span><br><span>Some people think that's a "stupid question", but I think host-based</span><br><span>firewalls are something to consider the costs/benefits of.</span><br><span></span><br><span>The reality is that if a port isn't listening, then no one can connect</span><br><span>to it. And if something is listening, it probably is serving something.</span><br><span></span><br><span>The starting point should always be, IMHO, to netstat or sockstat the</span><br><span>box. Should every port that listening or maintaining connections be</span><br><span>doing it?</span><br><span></span><br><span>There's a bunch of things that apply to pf and firewalls in general.</span><br><span>Here's a start...</span><br><span></span><br><span>1. blocking what shouldn't be listening, assuming "block" is high up in</span><br><span>your ruleset. I have a box that localhost was at 127.0.0... other than</span><br><span>.1. Therefore, a hidden service wasn't hidden.</span><br><span></span><br><span>2. effectively dropping traffic to listening ports you don't want, such</span><br><span>as bad synfin packets or say, netblocks/IPs you don't want to connect.</span><br><span></span><br><span>3. rate limiting connections, most commonly on SSHD, which also deals</span><br><span>with light-weight denial of service attacks (conscious or not)</span><br><span></span><br><span>4. fancy stuff like opening a dynamic port like obfsproxy requires with</span><br><span>macros :)</span><br><span></span><br><span>I could continue, but that's a decent start.</span><br><span></span><br><span>g</span><br><span>_______________________________________________</span><br><span>Tor-BSD mailing list</span><br><span><a href="mailto:Tor-BSD@lists.nycbug.org">Tor-BSD@lists.nycbug.org</a></span><br><span><a href="http://lists.nycbug.org/mailman/listinfo/tor-bsd">http://lists.nycbug.org/mailman/listinfo/tor-bsd</a></span><br></div></blockquote></body></html>