[Tor-BSD] OpenBSD pf rules...

Seth list at sysfu.com
Tue Nov 25 19:13:44 EST 2014


On Tue, 25 Nov 2014 14:28:09 -0800, George Rosamond  
<george at ceetonetechnology.com> wrote:

> The only thing I'd throw in for Christopher is that you don't need all
> those tor_or_ports and tor_exit_ports defined if you're not an exit...
> rather, it would just be your ORPort.

Indeed.

Regarding OPPorts, doing proper egress filtering them is problematic. The  
port numbers are in constant flux. Do do it right you'd want to implement  
dynamic ORPort list fetching and processing in order to keep them up to  
date.

My bonehead method was:

* download a .csv file of router info and ORPorts from torstatus.info
* use LibreOffice calc to isolate ORPorts, dedup, and export again as a  
text file
* Dump text file data into tor_or_ports pf.conf macro

Ideally there would be a way to allow outbound TCP connections to any  
ORPort if the target is another Tor node. A PF table of Tor node IP  
addresses could be created that was automatically updated once a day for  
example.


More information about the Tor-BSD mailing list