[Tor-BSD] OpenBSD pf rules...

George Rosamond george at ceetonetechnology.com
Tue Nov 25 17:28:09 EST 2014


Seth:
> On Tue, 25 Nov 2014 11:40:18 -0800, Christopher Owen
> <christopher.owen at gmail.com> wrote:
> 
>> What's the best pf rules to only allow the Tor relay and SSH traffic?
> 
> Don't know if these pf rules are necessary 'the best' but it's what I'm
> running for now on a OpenBSD ReducedExitPolicy Tor node.
> 
> Criticism and feedback welcomed.

The only thing I'd throw in for Christopher is that you don't need all
those tor_or_ports and tor_exit_ports defined if you're not an exit...
rather, it would just be your ORPort.

Seems good to me for that, though.  Some other inline stuff below.
Unless anyone has some other input, maybe we should look at getting this
stuff on TorServers.net and even the project page.

The other thing to raise is the obfsproxy issue.  It's a randomized TCP
port which seems to change each time you restart Tor.

The only way to deal with that and pf is to grep the port out and define
as a variable in your pf.conf.  Anyone else?

> ------------------------------------------------------------------------------
> 
> 
> icmp_types = "{ echoreq echorep timex unreach }"
> udp_services = "{ ntp }"
> 
> tor_or_ports = "{ 9 20 21 22 23 24 25 43 53 80 81 82 88 99 109 110 143
> 144 164 220 322 387 390 426 441 443 444 445 465 479 499 517 543 587 667
> 739 800 801 853 880 930 990 992 993 994 995 1026 1032 1080 1180 1194
> 1234 1293 1313 1415 1433 1434 1755 1911 1951 1953 2012 2013 2022 2024
> 2102 2121 2201 2280 2962 3001 3042 3090 3128 3129 3307 3390 3480 3766
> 3768 4002 4223 4243 4403 4434 4444 5002 5030 5031 5032 5033 5034 5035
> 5151 5222 5524 5672 5927 6001 6002 6030 6135 6318 6444 6603 6882 6887
> 6970 7013 7030 7036 7343 7576 7653 7686 7734 7777 8000 8001 8008 8011
> 8073 8080 8081 8082 8088 8120 8195 8346 8422 8443 8445 8576 8718 8766
> 8880 8883 8888 8986 9000 9002 9003 9005 9007 9008 9010 9012 9021 9025
> 9030 9031 9032 9033 9034 9035 9036 9037 9038 9039 9040 9041 9042 9043
> 9044 9045 9046 9047 9048 9049 9050 9051 9052 9053 9054 9055 9056 9057
> 9070 9075 9076 9080 9090 9091 9095 9098 9099 9102 9107 9112 9124 9130
> 9131 9191 9201 9230 9236 9265 9291 9300 9301 9336 9339 9344 9391 9400
> 9443 9501 9630 9667 9696 9889 9902 9930 9933 9934 9962 9980 9981 9990
> 9997 9998 10012 10020 10030 10031 10051 10080 10102 10271 10309 10457
> 10595 10691 11030 11110 11202 11312 11358 11395 12011 12030 12130 14801
> 15242 15827 15882 16661 16766 16800 17010 17509 18666 18837 18880 19001
> 19030 19091 19501 19595 19706 20235 20443 20773 21548 22154 22778 23233
> 23352 23400 23426 23432 23456 23471 23487 24001 24456 26033 27640 28684
> 28710 28730 29030 29220 29349 30819 31077 31336 31460 31810 32114 32475
> 32852 33904 34051 34776 35624 35975 36546 39030 39581 39856 40001 40095
> 42024 42542 43696 43846 47581 47702 47704 48470 49030 49090 49152 49153
> 50030 50102 50502 50900 51425 51452 52345 52496 52860 52874 53269 53674
> 54556 54558 54935 55980 56453 56925 56971 57612 58260 58502 59030 60001
> 61234 62021 64181 64671 65356 65520 65524 }"
> 
> tor_exit_ports = "{ 20:23 43 53 79:81 88 110 143 194 220 389 443 464 531

note he doesn't include 25/tcp due to the spam possibilities.

> 543:544 554 563 636 706 749 873 902:904 981 989:995 1194 1220 1293 1500
> 1533 1677 1723 1755 1863 2082 2083 2086:2087 2095:2096 2102:2104 3128
> 3389 3690 4321 4643 5050 5190 5222:5223 5228 5900 6660:6669 6679 6697
> 8000 8008 8074 8080 8082 8087:8088 8332:8333 8443 8888 9418 9999 10000
> 11371 12350 19294 19638 23456 33033 50002 64738 }"
> 
> set block-policy return
> set skip on lo0
> 
> block log all
> 
> # The most frequently matched traffic rules go right up top
> pass out quick proto tcp to port { http https }
> pass quick proto tcp from any to any port 9001
> 
> # drop local broadcast traffic generating log noise
> block drop quick proto igmp
> block drop quick proto udp to any port 67:68
> 
> # Pass local caching DNS server lookups
> pass out proto udp to port domain

Out of curiosity, do other runs a local caching DNS?  I do that on lots
of boxes, but never on a relay/bridge.  Any noticeable difference on
performance?

> 
> # Pass dnscrypt-proxy traffic
> pass log proto udp to port https
> # pass your trusted SSH connections
> pass in log proto tcp from { IPs you control go here } to any port ssh
> # pass ntp time lookups
> pass proto udp to port $udp_services
> 
> # pass ICMP ping and traceroute
> pass inet proto icmp all icmp-type $icmp_types
> # allow traceroute(8):
> pass out on egress inet proto udp to port 33433 >< 33626
> 
> # pass the occasionally matched rules last, which is everything else in
> my experience.
> pass out proto tcp to port $tor_exit_ports
> pass out proto tcp to port $tor_or_ports

Note also he didn't pass out all in this ruleset, and he's doing egress
filtering.  That particularly makes sense if you misconfigure a hidden
service ;P

Thanks Seth.

g


More information about the Tor-BSD mailing list