[Tor-BSD] OpenBSD pf rules...
teor2345 at gmail.com
Thu Nov 27 05:41:48 EST 2014
> On 27 Nov 2014, at 21:02, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> George Rosamond <george at ceetonetechnology.com> wrote:
>>>> 1. blocking what shouldn't be listening, assuming "block" is high up in
>>>> your ruleset. I have a box that localhost was at 127.0.0... other than
>>>> .1. Therefore, a hidden service wasn't hidden.
>>> Is this a bug in tor where it only considers 127.0.0.1 local?
>>> Or a configuration bug in the hidden service torrc?
>>> Or something else?
>> Good question.
>> If a web server is configured to listen on localhost, and the torrc sets
>> localhost for listening for hidden traffic, then it shouldn't. But if
>> you set 127.0.0.1 (instead of localhost) and that's not the localhost
>> address, then the problem arose.
>> I'd have to test it again, but in that case it was a FreeBSD jail.
> If you aren't using VIMAGE, binding to 127.0.0.1 in a FreeBSD jail
> binds to the jail's IP address (which may be accessible from the network):
> fk at r500 ~ $sudo jexec -u _tor 1 grep 127 /usr/local/etc/tor/torrc
> TransListenAddress 127.0.0.1
> SocksListenAddress 127.0.0.1
> ControlListenAddress 127.0.0.1
> fk at r500 ~ $sudo jexec 1 sockstat -4l | grep _tor
> _tor tor 939 5 tcp4 10.0.0.2:9050 *:*
> _tor tor 939 6 tcp4 10.0.0.2:9048 *:*
> _tor tor 939 7 tcp4 10.0.0.2:9049 *:*
> _tor tor 939 8 udp4 10.0.0.2:53 *:*
> _tor tor 939 9 tcp4 10.0.0.2:9040 *:*
> _tor tor 939 10 tcp4 10.0.0.2:9051 *:*
> That's a documented and IMHO useful jail feature.
>  I haven't actually tested that this doesn't apply to VIMAGE,
> I just assume it doesn't.
So a misconfiguration in an unusual environment, not a bug in tor.
As far as I know, tor blacklists 127.0.0.1:
* in the default exit policy (127./8:*)
* in the IPv4 address autodetection code
Both of these scenarios can be overridden by an explicit torrc configuration, although the first probably shouldn't be.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Tor-BSD