[Tor-BSD] OpenBSD pf rules...

teor teor2345 at gmail.com
Tue Nov 25 20:20:20 EST 2014

> On 26 Nov 2014, at 11:13, Seth <list at sysfu.com> wrote:
>> On Tue, 25 Nov 2014 14:28:09 -0800, George Rosamond <george at ceetonetechnology.com> wrote:
>> The only thing I'd throw in for Christopher is that you don't need all
>> those tor_or_ports and tor_exit_ports defined if you're not an exit...
>> rather, it would just be your ORPort.
> Indeed.
> Regarding OPPorts, doing proper egress filtering them is problematic. The port numbers are in constant flux. Do do it right you'd want to implement dynamic ORPort list fetching and processing in order to keep them up to date.
> My bonehead method was:
> * download a .csv file of router info and ORPorts from torstatus.info
> * use LibreOffice calc to isolate ORPorts, dedup, and export again as a text file
> * Dump text file data into tor_or_ports pf.conf macro
> Ideally there would be a way to allow outbound TCP connections to any ORPort if the target is another Tor node. A PF table of Tor node IP addresses could be created that was automatically updated once a day for example.

You could grep/cut the relay lines from tor's cached consensus file to achieve this - it is plain text in a well-defined format.
You could use the IP/Port pairs, or a unique list of ports.

There are approximately 7000 IP/Port entries in the consensus, so a global permit for the 10 most common ports may speed things up at the cost of some security. This list starts: 9001, 443, …

pgp 0xABFED1AC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20141126/154ffeb8/attachment.html>

More information about the Tor-BSD mailing list