-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Fick escribió: > --- Kyle Williams <[EMAIL PROTECTED]> wrote: >> On Nov 8, 2007 8:53 AM, Martin Fick >>> On Wed, Nov 07, 2007 at 08:20:37AM -0800, Martin >>> Fick wrote: >>>> My home router offers an http administration >>>> console on port 80 which for obvious security >>>> reasons is normally only accessible from the >>>> internal facing side of the router. While >>>> many of these home routers typically have an >>>> internal private IP such as 192.168.1.1 and >>>> an external public IP, they sometimes respond >>>> to both IPs from the inside and sometimes they >>>> even allow access to the administration console >>>> on the external IP if it is accessed from the >>>> internal side of the router (mine does). This >>>> would not normally be a problem, but add a tor >>>> exit server to the inside of a home network >>>> serviced by such a router and ...you can >>>> probably guess where I am going with this. > > ... >>> --- Ruben Garcia <[EMAIL PROTECTED]> wrote: >>>> Perhaps it might be possible to tell tor about >>>> the router's nat policy so that if the router is >>>> supposed to port forward the external request >>>> to <ipA>:<portA>, tor does it itself. >>>> That way, the problematic >>>> >>>> host->tor->tor->your host tor->router->your host >> web >>>> can become >>>> >>>> host->tor->tor->your host tor->your host web >>>> >>>> (This requires some changes to the torrc and tor >>>> source, so I'd like to add it to the feature >>>> request list in case somebody has free time) >> That would be a hidden service. Tor already does >> that. >> What we are talking about is secure defaults for >> exit nodes. > > No, I think a you may have misunderstood the > suggestion, I had to read it twice too. :) > > Perhaps I can try illustrating this better. > > To start with we have website W hosted on internal > private IP P (192.168.1.2) forwarded to the world > by a NATting router with internal IP GW (192.168.1.1) > at external IP E. Anyone on the outside can (and are > supposed to be able to!) get to web site W by > accessing E, not P, with or without tor. > > 1) Site (W) [P]<--- NAT [E]<---- Internet (anyone) > > But with or without tor no-one can actually get to > W from the intranet, I, on external IP E since the > router intercepts that IP, E, and presents its > admin console A on E. > > So, instead of seeing this: > > 2) Client [I]--->[E] Router > Site (W) [P]<--- Router > > intranet clients get: > > 3) Client [I]--->[E] Router Admin Console (A) > > > Now, add an internal tor exit relay on the inside > of the firewall trying to legitimately get to W on > E (similar to 1): > > 4) Tor <--- Router <---- Internet(anyone) > Tor --->[E] Router > Site (W) [P] <--- Router > > Note: they are not trying to illegitimately access > W at P, but at legitimate E! Instead they end > up more like (3): > > 5) Tor <--- Router <---- Internet (anyone) > Tor --->[E] Router Admin console (A) > > The suggested fix instead of simply barring > E in the exit policy (since it is a legitimate > endpoint,) to spoof E with P internally to tor! > > 6) Tor <------------- Router <---- Internet (anyone) > Tor --->[P] Site (W) > > Yes, this is somewhat similar to a hidden service > because we are accessing a web site, W, on the > inside of the intranet, but that site is supposed > to be accessed from the outside we are simply > bypassing the obstructed trip to the internal > router hoping to just be NATted and bounced > back to P (4). The original scenario (4) which is > impossible because of (5) would have done the > same thing as (6) just by a different route! > > Does that make more sense and sound > reasonable? > > -Martin > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com This is exactly what I meant. Sorry my message was too compressed.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNDB+jJvgg3iy84QRAjv4AJ4rsL1Ax7PN35/4Pao8NruuRedudwCfUU4r DCnnD8QtI/P0G1b7YKwHYDM= =BTho -----END PGP SIGNATURE-----
