Gilles wrote:
On Thu, 12 Mar 2009 10:42:53 +0100, Andreas Rudisch <"cyb."@gmx.net>
wrote:
/usr/ports/security/tor/


Thanks Andeas. Up to now, I only used the Tor client for Windows that
comes with Privoxy, so never used Tor as-is, and never on the command
line.

If someone's used to using Tor, I have a couple of questions. On
FreeBSD, I intend to use it to run a Python script to connect to a
remote web server and download pages.

Do I need to start the Tor server? Do I need a web proxy like Privoxy,
or is the Tor client enough? How do set things up so my Python scripts
connects to Tor?

As with all things BSD, the tor server potential is a lot more valuable than it's tor user potential. All the user gadgets (vidialia, privoxy, etc.) are very fallible. As long as your machine has a routable connection to the internet, your machine can be tricked into revealing it's IP, in sooo many ways. I realize this is only some minor corporate espionage, but bad practice is bad practice. Don't feel safe with it.

You want a transparent tor proxy, which you setup with freebsd and pf.

You setup a separate lan with any number of machines (virtual machines?), all using the tor server as their default gateway and dns server. To the client machines, all they see is 100% normal internet traffic. They don't need tor, vidalia, privoxy or any other gizmos. It's completely transparent. Bear in mind, anything not encrypted is exposed to the exit router and everything else it normally would be.

If you google Tor Transparent Proxy, this should be your first link:
https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy
Half way down they have the BSD / pf setup.

Things not mentioned there (quite a few actually):
You do not want to run tor as root, which unfortunately takes some tweeking to run properly as the default _tor user.
Yes, you want to "start tor" automatically on boot with rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
tor_enable="YES"

You want routing disabled, you're actually doing redirection through pf, not routing.
In pf.conf you want, at least:
trans_port = "9040"
transdns_port = "53"
set skip on lo
scrub in
rdr pass on $int_if inet proto tcp to !($int_if) -> 127.0.0.1 port $trans_port rdr pass on $int_if inet proto udp to port domain -> 127.0.0.1 port $transdns_port

You need to set group ownership on /dev/pf to _tor and set suitable permissions or sort this out somehow. _tor user needs access to /dev/pf
And put this in devfs.conf so it survives a reboot.
own     pf      root:_tor
perm    pf      0660

You need to set net.inet.ip.portrange.reservedlow=54 or use some other method to allow the _tor user to bind to privileged ports.
And put this in sysctl.conf so it survives a reboot.
Obviously you should also run tor in a jail, but I'm not going to detail that.

I had some bugginess with port binding, so I found it works best if you explicitly state, like so in /usr/local/etc/tor/torrc

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.0.1:9040
TransListenAddress 127.0.0.1:9040
DNSPort 53
DNSListenAddress 192.168.0.1:53
DNSListenAddress 127.0.0.1:53
RunAsDaemon 1
ControlPort 9051

Where 192.168.0.1 is the tor server's IP address of the interface being provided to the private LAN that will us it as their Default Gateway. Note also that if you try to set a ControlListenAddress without authentication setup, it will close all Control Ports on startup. So just leave it local. If it's not obvious, yes it's assumed you have a 2nd interface with a valid IP connected to a LAN that has a route to the internet.

A major thing lacking is a command line tor control utility. And this is important. Sometimes you get crappy circuits, sometimes you get a hacker who is trying to SSL / SSH M-i-t-M you.
You need to be able to flush the router and grab new circuits on demand.
I just enable the control port locally and telnet to it.
To get new circuits, on the control port (assuming you haven't set any authentication):

AUTHENTICATE SIGNAL NEWNYM

Then flush pf:
pfctl -F all

pftop is nice for watching your tor circuits (in ports).
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to