[Tor-BSD] OpenBSD pf rules...

Libertas libertas at mykolab.com
Wed Nov 26 20:38:17 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Right. I was operating under the assumption that a subset of the
network's ORPorts was going to be chosen, as there are just so many.
Restricting outgoing connections to all of them (or a subset) seems
like security theater to me. It's quite possible that I'm missing
something, but I can't imagine a situation in which that would
significantly increase security.

Additionally, you'd have to make sure that whatever was remotely
fetching the ORPort data and updating the pf table didn't gum up the
firewall.

For context, I suddenly joined this conversation because I configured
a Tor exit node on OpenBSD today, including its pf.conf. I'm currently
allowing all outgoing connections, which the OpenBSD Freenode channel
supported.

On 11/26/2014 07:57 PM, teor wrote:
>> I was just thinking of outgoing port-specific filtering in terms
>> of the amount of complexity and overhead it adds, and the fact
>> that it makes one's relay a worse Tor citizen.
> 
> Libertas,
> 
> If you filter ports that Tor wants to connect on, then yes, it
> would make you a worse Tor citizen.
> 
> But if you get the port list to match your Exit Policy + Remote
> ORPorts, surely no-one would ever notice?
> 
> 
> teor pgp 0xABFED1AC hkp://pgp.mit.edu/ 
> https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 
> http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUdoCJAAoJELxHvGCsI27NBTMP/jINQ5hh3Qln80L9yraEiizP
tdglzEHm+1KHqWwSwwwgwYfOsCEUbVhJp4fyYsGjXC3brMhAareZOiQ5iIJImqc9
ZLlLueAjuTL0lzRFIc1TdiVGqKlibJbA0eA4pdeV/LS5IzYHboSRcOz/cCcewQcL
qSIZizE2bkhzuifi7iJbtJIgXqfnPMt/ibkjattzg8Og0n1HLUd3diOmPOb/DLhJ
X0hXIwSIMZo/I48ED2NPkJPoTVMDHQFDXrheW3kbG/RCacAM75fbMP4U3t7YC0Ba
mgf63UWV5IVdf4WI/axss1NXKbh8iNSGfpq5JcL1HmObf/Qa4omA/fthXFm1FKPN
B9JuZbsmhaR1XRNv9WWv3c4fJKkSxX2O7h1ZjmzJ2QA434Az6JF69hIdHaen21ri
6UR5Xe2zduU6DZnwz6D1Q+ILKrodCpw7n15jo0Z7seQFbitAmFOtqZNiSsAgObCZ
UTzmFZY4hq2GRA4HGNU57rrQywx42yZOb+25VfT5S+B/40bKs7pANTFHq7aNpHii
SiQ2MUwY0ehPFXwvxvkLwmNFKQ2m/TQTKEQRD8kHSZs2SMmzG3o6Z9eDMXBAQmWS
B1kTf11yCqCRDV3boIzYpEnQn721IfuCGH6qqDwscVW4+tyP24We+4QRJB9f5To/
Cs8JEKK3O6jSEzARr2vd
=gSb7
-----END PGP SIGNATURE-----


More information about the Tor-BSD mailing list