Re: Advanced traffic shaping with iptables?
On Tue, Sep 25, 2007 at 07:41:27AM +0530, Strykar wrote: Burst bandwidth wouldn't hurt the network. If you want bandwidth shaping, I'd suggest using pf (Open/FreeBSD) for traffic shaping. iptables + tc never did the job for me and it's the reason I tried pf in the first place. Pf has incredibly legible syntax and reading the pf faq will get you up and running in no time. You don't even have to read the syntax if you use pfSense. It does come with a traffic shaper. You might have trouble buying WRAP boards, but ALIX will be there any time now. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: Advanced traffic shaping with iptables?
On Tue, September 25, 2007 02:32, Linus Lüssing wrote: My problem is, that I'm sharing the Bandwidth of my ADSL Internet connection (50KiB/s upload) with TOR and some other applications I've a similar setup with a slightly better upload rate (64KB nominal) and I don't use shaping at all. I've set up tor with 60KB/60KB bandwith limits and find out they're ok. The only real downside are online games (nexuiz) which suffers badly, otherwise all other applications are ok. ciao -- Marco Bonetti Slackintosh Linux Project Developer: http://www.slackintosh.org Linux-live for powerpc: http://www.slackintosh.org/pub/rsync/mb/linux-live My webstuff: http://sidbox.homelinux.org My GnuPG key id: 0x86A91047
Re: Set up a webproxy to TOR - tor-proxy.net
Am Dienstag, den 25.09.2007, 10:08 +0200 schrieb Marco Bonetti: On Tue, September 25, 2007 09:54, Ricky Fitz wrote: To prevent any DNS-Leaks, I redirect all outgoing traffic to port 53 to the dns-proxy of Fabian Keil uhmmm another point of trust, why do you do so? you can run a torified dns resolver on your local box, see: http://p56soo2ibjkx23xo.onion/ Probably a misunderstanding. dns-proxy is a perl-script, which of course runs only localy. And it is the one, which you can download on the site you have written above ;-) Regards, Ricky. -- Falls Freiheit überhaupt etwas bedeutet, dann bedeutet sie das Recht darauf, den Leuten das zu sagen, was sie nicht hören wollen. - George Orwell, aus dem Nachwort zu Animal Farm, 1945 - GPG-Fingerprint: 10D6 7B8F 1F7C 7CB1 2C4E 930E AFD2 FDF3 A10B D302 GPG-Key-ID: AFD2FDF3A10BD302 http://www.lawlita.com/pgp-schluessel/ signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Set up a webproxy to TOR - tor-proxy.net
On Tue, September 25, 2007 10:50, Ricky Fitz wrote: Probably a misunderstanding. dns-proxy is a perl-script, which of course runs only localy. To sort things out, when you wrote I redirect all outgoing traffic to port 53 to the dns-proxy of Fabian Keil, what do you mean: a) traffic on port 53 is redirected to port 53 on F. Keil machine b) traffic on port 53 is redirected to your local dns proxy, the same referred by F. Keil blog post. if (a), you're adding another ring to the trust chain and it's bad, if (b) it should be ok. And it is the one, which you can download on the site you have written above ;-) sorry, I haven't check the link as it was written in a language I don't understand :-P (well, I've should at least click on it as some words here and there are in english) -- Marco Bonetti Slackintosh Linux Project Developer: http://www.slackintosh.org Linux-live for powerpc: http://www.slackintosh.org/pub/rsync/mb/linux-live My webstuff: http://sidbox.homelinux.org My GnuPG key id: 0x86A91047
Re: Set up a webproxy to TOR - tor-proxy.net
BlueStar88 schrieb: or you may try the free SSL-service at http://cert.startcom.org/ It is accepted by Mozilla browsers by default. Wow, was my first thought, a free certificate already integrated into current browsers, but where is the crux? What's about the StartCom-side private key generation issue? http://www.heise.de/english/newsticker/news/56808 Tried yesterday, they're still doing it this way. Not the best approach, I think. You may generate your own server request certificate on a Linux/Unix system with OpenSSL. They will sign your request (ssl.csr), your privat key (ssl.key) does not leave your computer. # openssl genrsa -des3 -out ssl.key 1024 # openssl req -new -key ssl.key -out ssl.csr Use the wizzard without CSR generation: https://cert.startcom.org/?app=101 Is this way ok for you?
Re: Set up a webproxy to TOR - tor-proxy.net
Am Dienstag, den 25.09.2007, 11:21 +0200 schrieb Marco Bonetti: On Tue, September 25, 2007 10:50, Ricky Fitz wrote: Probably a misunderstanding. dns-proxy is a perl-script, which of course runs only localy. To sort things out, when you wrote I redirect all outgoing traffic to port 53 to the dns-proxy of Fabian Keil, what do you mean: a) traffic on port 53 is redirected to port 53 on F. Keil machine b) traffic on port 53 is redirected to your local dns proxy, the same referred by F. Keil blog post. if (a), you're adding another ring to the trust chain and it's bad, if (b) it should be ok. it is b. With dns-proxy of Fabien Keil i meant: dns-proxy (the program, running local) which is written by Fabian Keil. Sorry for the confusion. And it is the one, which you can download on the site you have written above ;-) sorry, I haven't check the link as it was written in a language I don't understand :-P (well, I've should at least click on it as some words here and there are in english) Sorry, I did not thought about that. ;-) Ricky. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Set up a webproxy to TOR - tor-proxy.net
Ricky Fitz [EMAIL PROTECTED] wrote: To prevent any DNS-Leaks, I redirect all outgoing traffic to port 53 to the dns-proxy of Fabian Keil ( http://www.fabiankeil.de/blog-surrogat/2006/06/08/von-kopf-bis-fuss-auf-tor-eingestellt.html ) I didn't write dns-proxy-tor, I merely created the FreeBSD port. dns-proxy-tor was written by Tup. And while I don't know who's behind this pseudonym, I'm quite confident that it isn't me. Fabian signature.asc Description: PGP signature
Re: Set up a webproxy to TOR - tor-proxy.net
Hi, BlueStar88 wrote: What's about the StartCom-side private key generation issue? http://www.heise.de/english/newsticker/news/56808 Tried yesterday, they're still doing it this way. Not the best approach, I think. Err... just create your own secret key and a certificate request (for example using OpenSSL's CA.sh -newreq), choose SSL Server Certificate (Without CSR generation) on StartCom's web site, copy/paste your CSR, whee, you get a signed cert without ever revealing your secret key to StartCom. Am I missing something? Marco
Rejecting truncated ESTABLISH_INTRO cell warns
Hi folks, A number of server operators have been reporting seeing these lines in their logs lately: Sep 25 04:59:13.165 [warn] Rejecting truncated ESTABLISH_INTRO cell. Sep 25 05:31:56.838 [warn] Rejecting truncated ESTABLISH_INTRO cell. Sep 25 05:57:53.254 [warn] Rejecting truncated ESTABLISH_INTRO cell. Sep 25 06:28:13.560 [warn] Rejecting truncated ESTABLISH_INTRO cell. Sep 25 08:06:53.230 [warn] Rejecting truncated ESTABLISH_INTRO cell. Sep 25 08:28:56.614 [warn] Rejecting truncated ESTABLISH_INTRO cell. ... Two notes: A) This is not a problem with your server, it's a problem with a Tor client somewhere behaving in a way we didn't expect. So there's no need to shut down your server, worry about security issues from this, etc. :) If the warnings continue, we'll make them quieter in the next release. Which leads me to: B) Somewhere in the world somebody is working on a new implementation of Tor hidden services, but it's currently making malformed requests when trying to set up introduction circuits. Perhaps even somebody on this list. Let us know if you need help making it work. ;) --Roger
Re: Rejecting truncated ESTABLISH_INTRO cell warns
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roger Dingledine wrote: B) Somewhere in the world somebody is working on a new implementation of Tor hidden services, but it's currently making malformed requests when trying to set up introduction circuits. Perhaps even somebody on this list. Let us know if you need help making it work. ;) right this morning I stumbled upon this site, while digging through torstatus page: http://www.wikileaks.org/ http://www.wikileaks.org/wiki/Wikileaks:About has some interesting information, especially: http://www.wikileaks.org/wiki/Wikileaks:About#Have_you_made_any_modifications_to_Tor_to_ensure_security.3F_If_so.2C_what_are_they.3F what do you think? - -- Marco Bonetti Slackintosh Linux Project Developer: http://www.slackintosh.org Linux-live for powerpc: http://www.slackintosh.org/pub/rsync/mb/linux-live My webstuff: http://sidbox.homelinux.org My GnuPG key id: 0x86A91047 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG+VuRE3eWALCzdGwRAi6OAJkBdYCMtL0oRu1eu3xHOVm4lzQPEgCfRhzG oYLc67pXWI63QxhdBOjwEhg= =UBL7 -END PGP SIGNATURE-
Re: Advanced traffic shaping with iptables?
See http://archives.seul.org/or/talk/Aug-2007/msg00192.html for such a script. I've not tested it myself, so YMMV. the documentation on trafic shaping under linux is here: http://lartc.org/ Cheers! Thanks man, this script looks pretty much the way, I've been looking for. Yep, the syntax of iptables+tc is really confusing, I tried to go through some tutorials before. But you seem to have posted a usefull link, I'll have a look at it later. Can you also telle me, what the BOX_IP and TOR_IP-paramteters are good for? It has nothing to do with my own IP-address, has it? Cause I've got a dynamic one... I've a similar setup with a slightly better upload rate (64KB nominal) and I don't use shaping at all. I've set up tor with 60KB/60KB bandwith limits and find out they're ok. The only real downside are online games (nexuiz) which suffers badly, otherwise all other applications are ok. ciao Hmm, for me, it doesn't seem to work. Talks with VoIP hangs badly, while TOR is running too. I've always got to stop the process first (what is really annoying, cause I've got to connect over SSH to my mini-linux-server in the cellar first). If you want bandwidth shaping, I'd suggest using pf (Open/FreeBSD) for traffic shaping. iptables + tc never did the job for me and it's the reason I tried pf in the first place. Pf has incredibly legible syntax and reading the pf faq will get you up and running in no time. Sounds good, but I don't want to move from Debian to Open/FreeBSD. I would have to set up all the apps again... Thanks for the quick responses. Greetz, Linus
[ANNOUNCE] Updated JanusVM for Sept. 2007
We have proud to announce a new JanusVM has been released! The amount of feedback and response from users has been great! JanusVM is in the October 2007 edition of PC World magazine! We had no idea that Erik Larkin of PC World was going to write an article about JanusVM until new users notified us that they heard about JanusVM in the magazine. Thank you Erik! Here's the link to the article titled Evade Snoops by Cloaking Your Internet Activity in Anonymity: - http://www.pcworld.com/article/id,135993/article.html Below is a list of updates in this months release. === - Upgraded to kernel 2.6.22.3 tick-less scheduling - Upgraded privoxy to v3.0.6 and latest rules - Upgraded Tor to v0.2.0.6-alpha now using DNSPort - Added support for direct transparent routing through NAT device - Added openvpn client support (see ovpn/ dir in zip) - Added private directory retrieval - Blocked NetBIOS traffic from going over Tor. *=== *It is highly recommended that everyone update for several reasons. Enhancements in this release make Tor noticeably faster. It isn't quite the same as your broadband connection at home, but it's getting better. There was also a very important security update in Tor, but JanusVM users need not worry about it since Tor's control port is bound to localhost inside the VM and therefore is protected from potentially harmful exploits in either the end-users applications or Tor itself. Even the very first JanusVM that was published over a year ago is still protecting Tor from being vulnerable to this bug. Hence the power of virtualization. We included the tick-less scheduling in the Linux kernel, which has increased the speed of JanusVM by roughly a factor of Two on most systems. As many of you know JanusVM was the first, and still is the only transparent proxy for Tor in a VM. We use a VPN from the host OS to JanusVM in order to make this happen, but now there is a new option. You can use JanusVM as your router! All that is requires is for you to change your IP address manually, and this will ensure absolutely that no exploit or zero-day attack against your web browser, e-mail, or IM client will compromise your true IP address. Here's an example of the settings that would be used on you machine to route all traffic through JanusVM. IP: 10.10.20.2 Netmask: 255.255.255.0 Gateway: 10.10.20.1 DNS: 10.10.20.1 *=== * *- JanusVM Checksums - * *MD5:* eae0f7c0eddb32df39569c1470c1881f *SHA1:* 81bb5207270085c3cd216ce8fbdfc79f93bdd679 http://janusvm.peertech.org/JanusVM-17-sep-2007.zip *- JanusVM LIVE Checksums - * *MD5:* e88598c154ecd71e09f84994b2796534 *SHA1:* 3304e0c7e02c82dc7723a7f3074e17bb3ce1b4c2 http://janusvm.peertech.org/JanusVMLive-17-sep-2007.zip *=== * I get asked at least twice a week what the difference between JanusVM and JanusVM Live, so let me explain it again for those of you who don't know. JanusVM Live loads the entire image into RAM (requires 180MB free). JanusVM Live does NOT save any changes that are made while you use it. So if you create a new VPN user and reboot JanusVM Live, your user account will be gone and you will have to recreate it. The same goes for any log files that are created during usage. Basically, JanusVM Live is for users that want to be %100 sure that all their actions are not logged when they are finished using JanusVM. Nothing is saved when you shutdown the LIVE version and everything goes back to a default state when you use it next time. Enjoy! www.JanusVM.com http://www.janusvm.com/
Re: Advanced traffic shaping with iptables?
Hi, On Tue, Sep 25, 2007 at 11:30:57PM +0200, Linus L?ssing wrote: See http://archives.seul.org/or/talk/Aug-2007/msg00192.html for such a script. I've not tested it myself, so YMMV. the documentation on trafic shaping under linux is here: http://lartc.org/ Thanks man, this script looks pretty much the way, I've been looking for. Yep, the syntax of iptables+tc is really confusing, I tried to go through some tutorials before. But you seem to have posted a usefull link, I'll have a look at it later. It is probably a good start point. Can you also telle me, what the BOX_IP and TOR_IP-paramteters are good for? It has nothing to do with my own IP-address, has it? Cause I've got a dynamic one... It looks like the script needs Tor to run on a virtual address. This could be done by adding another address to your default interface # ifconfig eth0:0 10.11.12.13 and use that address in your tor config. You should probably contact the author directly if you have problem getting that particular script to work. As for iptables or tc related questions, they should probably be asked on their respective mailing-lists. Regards I've a similar setup with a slightly better upload rate (64KB nominal) and I don't use shaping at all. I've set up tor with 60KB/60KB bandwith limits and find out they're ok. The only real downside are online games (nexuiz) which suffers badly, otherwise all other applications are ok. ciao Hmm, for me, it doesn't seem to work. Talks with VoIP hangs badly, while TOR is running too. I've always got to stop the process first (what is really annoying, cause I've got to connect over SSH to my mini-linux-server in the cellar first). If you want bandwidth shaping, I'd suggest using pf (Open/FreeBSD) for traffic shaping. iptables + tc never did the job for me and it's the reason I tried pf in the first place. Pf has incredibly legible syntax and reading the pf faq will get you up and running in no time. Sounds good, but I don't want to move from Debian to Open/FreeBSD. I would have to set up all the apps again... Thanks for the quick responses. Greetz, Linus pgpkB2WlNoczs.pgp Description: PGP signature
Exit enclaves and FQDNs
I'm working on setting up a number of nodes as exit enclaves. If I use a normal socks4 client (resulting in local DNS resolution) it works exactly as I would expect: All traffic to the exit host uses the exit host local tor node. If instead I use a client with privoxy and sock4a with DNS resolution performed via tor I find that the *first* request to the FQDN of my exit host uses some random exit. After that my tor client appears to have cached the result and all further http accesses are via the local exit. Because this first request doesn't use the exit enclave it reintroduces in a loss of end-to-end encryption and risk of malicious exits. While one connection isn't so bad... for http a malicious exit could respond with a redirect to a proxy they control. Am I missing some aspect of the configuration which removes this vulnerability?
