Tony Nguyen wrote: > > Wyllys, > > With the integration of 2008/580 Solaris host-based firewall, the new > tor service, with some small changes, can provide fine-grained access > control to its service and be consistent with existing services. Since > tor defines listening ports in a configuration file, similar to ssh, you > can see network/ssh for example. I'm happy to work with you offline to > figure this out.
Tor listens on either 1 or 2 ports, 9001/tcp + (optionally) a SOCKS port (9050/tcp by default). In relay-mode, it just then routes the data onto the next Tor node somewhere out on the internet. It can be allowed to be an "exit" point, which means that the Tor relay will route the connection to its proper endpoint (website, IRC server, etc) instead of another Tor node, but the "exit policy" is defined in the torrc config file. The exit policy statement in the torrc config file determines the services that Tor may connect to. If the host firewall blocks the ports before they get to Tor, then the users are simply told that those destinations are down. This is from the torrc.sample file regarding exit policy configuration: ... ## If certain IPs and ports are blocked externally, e.g. by your firewall, ## you should update your exit policy to reflect this -- otherwise Tor ## users will be told that those destinations are down. ## #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more #ExitPolicy accept *:119 # accept nntp as well as default exit policy #ExitPolicy reject *:* # no exits allowed ... Are you suggesting just adding some firewall_context properties to the smf profile similar to ssh? That sounds reasonable if you think it makes sense here. I would prefer to NOT modify any of the actual Tor code as that makes it harder to resync later. > Services with no explicit firewall configuration, by default, will > inherit the global firewall policy which may not always be the desired > behavior. If the global firewall policy is to block ports that Tor would either be listening to or talking to, then Tor would just report that to the remote user as an error or an unavailable service. -Wyllys
