[Tor-BSD] OpenBSD pf rules...
teor
teor2345 at gmail.com
Wed Nov 26 19:55:15 EST 2014
> 1. blocking what shouldn't be listening, assuming "block" is high up in
> your ruleset. I have a box that localhost was at 127.0.0... other than
> .1. Therefore, a hidden service wasn't hidden.
George,
Is this a bug in tor where it only considers 127.0.0.1 local?
Or a configuration bug in the hidden service torrc?
Or something else?
teor
pgp 0xABFED1AC
hkp://pgp.mit.edu/
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx
> On 27 Nov 2014, at 8:28, George Rosamond <george at ceetonetechnology.com> wrote:
>
> Libertas:
>> I'm very new to packet filters and firewalls, but I'm wondering how
>> much security this really offers. I feel like allowing a large,
>> dynamically updated list of outgoing ports probably doesn't do much as
>> compared to just allowing everything. Can anyone give an example case
>> in which this would help?
>
> Some people think that's a "stupid question", but I think host-based
> firewalls are something to consider the costs/benefits of.
>
> The reality is that if a port isn't listening, then no one can connect
> to it. And if something is listening, it probably is serving something.
>
> The starting point should always be, IMHO, to netstat or sockstat the
> box. Should every port that listening or maintaining connections be
> doing it?
>
> There's a bunch of things that apply to pf and firewalls in general.
> Here's a start...
>
> 1. blocking what shouldn't be listening, assuming "block" is high up in
> your ruleset. I have a box that localhost was at 127.0.0... other than
> .1. Therefore, a hidden service wasn't hidden.
>
> 2. effectively dropping traffic to listening ports you don't want, such
> as bad synfin packets or say, netblocks/IPs you don't want to connect.
>
> 3. rate limiting connections, most commonly on SSHD, which also deals
> with light-weight denial of service attacks (conscious or not)
>
> 4. fancy stuff like opening a dynamic port like obfsproxy requires with
> macros :)
>
> I could continue, but that's a decent start.
>
> g
> _______________________________________________
> Tor-BSD mailing list
> Tor-BSD at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/tor-bsd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20141127/8e822e33/attachment.html>
More information about the Tor-BSD
mailing list