[Tor-BSD] OpenBSD pf rules...
Fabian Keil
freebsd-listen at fabiankeil.de
Thu Nov 27 05:02:16 EST 2014
George Rosamond <george at ceetonetechnology.com> wrote:
> teor:
> >> 1. blocking what shouldn't be listening, assuming "block" is high up in
> >> your ruleset. I have a box that localhost was at 127.0.0... other than
> >> .1. Therefore, a hidden service wasn't hidden.
> >
> >
> > George,
> >
> > Is this a bug in tor where it only considers 127.0.0.1 local?
> > Or a configuration bug in the hidden service torrc?
> > Or something else?
> >
>
>
> Good question.
>
> If a web server is configured to listen on localhost, and the torrc sets
> localhost for listening for hidden traffic, then it shouldn't. But if
> you set 127.0.0.1 (instead of localhost) and that's not the localhost
> address, then the problem arose.
>
> I'd have to test it again, but in that case it was a FreeBSD jail.
If you aren't using VIMAGE[1], binding to 127.0.0.1 in a FreeBSD jail
binds to the jail's IP address (which may be accessible from the network):
fk at r500 ~ $sudo jexec -u _tor 1 grep 127 /usr/local/etc/tor/torrc
TransListenAddress 127.0.0.1
SocksListenAddress 127.0.0.1
ControlListenAddress 127.0.0.1
fk at r500 ~ $sudo jexec 1 sockstat -4l | grep _tor
_tor tor 939 5 tcp4 10.0.0.2:9050 *:*
_tor tor 939 6 tcp4 10.0.0.2:9048 *:*
_tor tor 939 7 tcp4 10.0.0.2:9049 *:*
_tor tor 939 8 udp4 10.0.0.2:53 *:*
_tor tor 939 9 tcp4 10.0.0.2:9040 *:*
_tor tor 939 10 tcp4 10.0.0.2:9051 *:*
That's a documented and IMHO useful jail feature.
Fabian
[1] I haven't actually tested that this doesn't apply to VIMAGE,
I just assume it doesn't.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20141127/4b6795ef/attachment.bin>
More information about the Tor-BSD
mailing list