[Tor-BSD] OpenBSD pf rules...

teor teor2345 at gmail.com
Wed Nov 26 19:55:15 EST 2014 

> 1.  blocking what shouldn't be listening, assuming "block" is high up in
> your ruleset.  I have a box that localhost was at 127.0.0... other than
> .1.  Therefore, a hidden service wasn't hidden.


George,

Is this a bug in tor where it only considers 127.0.0.1 local?
Or a configuration bug in the hidden service torrc?
Or something else?


teor
pgp 0xABFED1AC
hkp://pgp.mit.edu/
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx



> On 27 Nov 2014, at 8:28, George Rosamond <george at ceetonetechnology.com> wrote:
> 
> Libertas:
>> I'm very new to packet filters and firewalls, but I'm wondering how
>> much security this really offers. I feel like allowing a large,
>> dynamically updated list of outgoing ports probably doesn't do much as
>> compared to just allowing everything. Can anyone give an example case
>> in which this would help?
> 
> Some people think that's a "stupid question", but I think host-based
> firewalls are something to consider the costs/benefits of.
> 
> The reality is that if a port isn't listening, then no one can connect
> to it.  And if something is listening, it probably is serving something.
> 
> The starting point should always be, IMHO, to netstat or sockstat the
> box.  Should every port that listening or maintaining connections be
> doing it?
> 
> There's a bunch of things that apply to pf and firewalls in general.
> Here's a start...
> 
> 1.  blocking what shouldn't be listening, assuming "block" is high up in
> your ruleset.  I have a box that localhost was at 127.0.0... other than
> .1.  Therefore, a hidden service wasn't hidden.
> 
> 2.  effectively dropping traffic to listening ports you don't want, such
> as bad synfin packets or say, netblocks/IPs you don't want to connect.
> 
> 3.  rate limiting connections, most commonly on SSHD, which also deals
> with light-weight denial of service attacks (conscious or not)
> 
> 4.  fancy stuff like opening a dynamic port like obfsproxy requires with
> macros :)
> 
> I could continue, but that's a decent start.
> 
> g
> _______________________________________________
> Tor-BSD mailing list
> Tor-BSD at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/tor-bsd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20141127/8e822e33/attachment.html>

More information about the Tor-BSD mailing list