[Tor-BSD] OpenBSD pf rules...
Seth
list at sysfu.com
Tue Nov 25 19:13:44 EST 2014
On Tue, 25 Nov 2014 14:28:09 -0800, George Rosamond
<george at ceetonetechnology.com> wrote:
> The only thing I'd throw in for Christopher is that you don't need all
> those tor_or_ports and tor_exit_ports defined if you're not an exit...
> rather, it would just be your ORPort.
Indeed.
Regarding OPPorts, doing proper egress filtering them is problematic. The
port numbers are in constant flux. Do do it right you'd want to implement
dynamic ORPort list fetching and processing in order to keep them up to
date.
My bonehead method was:
* download a .csv file of router info and ORPorts from torstatus.info
* use LibreOffice calc to isolate ORPorts, dedup, and export again as a
text file
* Dump text file data into tor_or_ports pf.conf macro
Ideally there would be a way to allow outbound TCP connections to any
ORPort if the target is another Tor node. A PF table of Tor node IP
addresses could be created that was automatically updated once a day for
example.
More information about the Tor-BSD
mailing list