[Tor-BSD] OpenBSD pf rules...

teor teor2345 at gmail.com
Thu Nov 27 05:41:48 EST 2014 

> On 27 Nov 2014, at 21:02, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> 
> George Rosamond <george at ceetonetechnology.com> wrote:
> 
>> teor:
>>>> 1.  blocking what shouldn't be listening, assuming "block" is high up in
>>>> your ruleset.  I have a box that localhost was at 127.0.0... other than
>>>> .1.  Therefore, a hidden service wasn't hidden.
>>> 
>>> 
>>> George,
>>> 
>>> Is this a bug in tor where it only considers 127.0.0.1 local?
>>> Or a configuration bug in the hidden service torrc?
>>> Or something else?
>>> 
>> 
>> 
>> Good question.
>> 
>> If a web server is configured to listen on localhost, and the torrc sets
>> localhost for listening for hidden traffic, then it shouldn't.  But if
>> you set 127.0.0.1 (instead of localhost) and that's not the localhost
>> address, then the problem arose.
>> 
>> I'd have to test it again, but in that case it was a FreeBSD jail.
> 
> If you aren't using VIMAGE[1], binding to 127.0.0.1 in a FreeBSD jail
> binds to the jail's IP address (which may be accessible from the network):
> 
> fk at r500 ~ $sudo jexec -u _tor 1 grep 127 /usr/local/etc/tor/torrc
> TransListenAddress 127.0.0.1
> SocksListenAddress 127.0.0.1
> ControlListenAddress 127.0.0.1
> fk at r500 ~ $sudo jexec 1 sockstat -4l | grep _tor
> _tor     tor        939   5  tcp4   10.0.0.2:9050         *:*
> _tor     tor        939   6  tcp4   10.0.0.2:9048         *:*
> _tor     tor        939   7  tcp4   10.0.0.2:9049         *:*
> _tor     tor        939   8  udp4   10.0.0.2:53           *:*
> _tor     tor        939   9  tcp4   10.0.0.2:9040         *:*
> _tor     tor        939   10 tcp4   10.0.0.2:9051         *:*
> 
> That's a documented and IMHO useful jail feature.
> 
> Fabian
> 
> [1] I haven't actually tested that this doesn't apply to VIMAGE,
> I just assume it doesn't.

So a misconfiguration in an unusual environment, not a bug in tor.

As far as I know, tor blacklists 127.0.0.1:
* in the default exit policy (127./8:*)
* in the IPv4 address autodetection code

Both of these scenarios can be overridden by an explicit torrc configuration, although the first probably shouldn't be.

teor
pgp 0xABFED1AC
hkp://pgp.mit.edu/
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20141127/87cf4e59/attachment.html>

More information about the Tor-BSD mailing list