Re: [tor-talk] AORTA - others tried it?

2018-02-10 Thread alen . alen 

On my Debian system, programs like Firefox and Chromium do not work

> with TorSocks. For AORTA I haven't been able to find a program that
> does not work under AORTA. Please let me know if you have a program
> that does not work with AORTA.

Well, I'm not sure what is cause this:

$ aorta -c -t telnet abcd1234abcd1234.onion 80

WARNING NOT testing if Tor handles all Internet traffic.

RUNNING telnet abcd1234abcd1234.onion 80
Trying 10.216.233.115...
telnet: connect to address 10.216.233.115: Connection timed out
Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f...
telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f:  
Invalid argument

AORTA CLOSED ...

OTOH this works fine:

$ torsocks telnet abcd1234abcd1234.onion 80
Trying 127.39.20.0...
Connected to abcd1234abcd1234.onion.
Escape character is '^]'.

Why is AORTA failing, also why is result of trying to connect on
IPV6  
"Invalid argument"?


This is strange in multiple ways:

First the address. abcd1234abcd1234.onion cannot be a *real* onion


No, sorry, it's changed from the real address. The point was to observe
aorta timing out a connection while torsocks connecting ok. I found
unpredictable. But happening enough to create doubt in what aorta is
doing.


I got a telnet reply when i tried to connect to it with AORTA. The
connection was closed immediate after i got the "Escape character is"
message.

With torsocks the address was not resolved and no connection was
established.


Well, you have discrepancies also. Why is the behavior different? Aren't
both connections going through same tor?


About the IPV6 address in your AORTA session. I do not know how you got
this address.


Doesn't telnet look for IPV6 if IPV4 fails? Where it got lookup, I can't
say. What does aorta do when IPV6 is requested?


AORTA should only resolve to an IPV4 address in the
10.192.0.0/10 range.




-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-10 Thread MacLemon 

> On 10 Feb 2018, at 10:15, Rob van der Hoeven  wrote:
> 
> On my Debian system, programs like Firefox and Chromium do not work
>> 
>> Well, I'm not sure what is cause this:
>> 
>> $ aorta -c -t telnet abcd1234abcd1234.onion 80
> First the address. abcd1234abcd1234.onion cannot be a *real* onion
> address because onion addresses are supposed to be unreadable :-)
This cannot be a real onion address because it contains the character "1" which 
is impossible for real onions. "1" is specifically not a character used by 
Base32 encoding used by onion addresses.
https://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet

Since the domain name is obviously incorrect for the .onion TLD it's 
questionable if a tool should even try to connect to it. Likewise you'd refuse 
any .onion domain that isn't of exactly 16 (v2 onion) or 54 characters (v3 
onion) in length.
Maybe some systems that usually resolve hostnames through tor, fall back to a 
local or another resolver when they receive an NX as a fallback.

Best regards
MacLemon


signature.asc
Description: Message signed with OpenPGP
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-10 Thread Rob van der Hoeven 
On my Debian system, programs like Firefox and Chromium do not work
> > with TorSocks. For AORTA I haven't been able to find a program that
> > does not work under AORTA. Please let me know if you have a program
> > that does not work with AORTA.
> 
> Well, I'm not sure what is cause this:
> 
> $ aorta -c -t telnet abcd1234abcd1234.onion 80
> 
> WARNING NOT testing if Tor handles all Internet traffic.
> 
> RUNNING telnet abcd1234abcd1234.onion 80
> Trying 10.216.233.115...
> telnet: connect to address 10.216.233.115: Connection timed out
> Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f...
> telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f:  
> Invalid argument
> 
> AORTA CLOSED ...
> 
> OTOH this works fine:
> 
> $ torsocks telnet abcd1234abcd1234.onion 80
> Trying 127.39.20.0...
> Connected to abcd1234abcd1234.onion.
> Escape character is '^]'.
> 
> Why is AORTA failing, also why is result of trying to connect on
> IPV6  
> "Invalid argument"?

This is strange in multiple ways:

First the address. abcd1234abcd1234.onion cannot be a *real* onion
address because onion addresses are supposed to be unreadable :-)
I suspected it to be some kind of test address so i tried to find it in
the Tor source code. No luck. But 

I got a telnet reply when i tried to connect to it with AORTA. The
connection was closed immediate after i got the "Escape character is"
message.

With torsocks the address was not resolved and no connection was
established.

About the IPV6 address in your AORTA session. I do not know how you got
this address. AORTA should only resolve to an IPV4 address in the
10.192.0.0/10 range.

Regards,
Rob.
https://hoevenstein.nl

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-07 Thread alen . alen 

TorSocks preloads a DLL that contains all the TCP/DNS functions from
the normal c library. This makes the program use the TorSocks functions
instead of the c library functions. This is the "old" way of
interception and takes place in user space.

AORTA intercepts and redirects TCP/DNS traffic inside kernel space.
What AORTA does is not visible to the program, and also works with
statically linked programs. AORTA is a much more simple program (thanks
to the hard work of the kernel en iptables developers). Except for
programs that clone an already running instance the interception and
redirection of AORTA *should* be guaranteed. NOTE *should* because
AORTA is a new program that has not undergone the same testing that
TorSocks has. Note also that I did test AORTA on different Linux
distributions (Debian, Unbuntu, Mint, Arch Linux) using a wide range of
programs.

On my Debian system, programs like Firefox and Chromium do not work
with TorSocks. For AORTA I haven't been able to find a program that
does not work under AORTA. Please let me know if you have a program
that does not work with AORTA.


Well, I'm not sure what is cause this:

$ aorta -c -t telnet abcd1234abcd1234.onion 80

WARNING NOT testing if Tor handles all Internet traffic.

RUNNING telnet abcd1234abcd1234.onion 80
Trying 10.216.233.115...
telnet: connect to address 10.216.233.115: Connection timed out
Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f...
telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f:  
Invalid argument


AORTA CLOSED ...

OTOH this works fine:

$ torsocks telnet abcd1234abcd1234.onion 80
Trying 127.39.20.0...
Connected to abcd1234abcd1234.onion.
Escape character is '^]'.

Why is AORTA failing, also why is result of trying to connect on IPV6  
"Invalid argument"?




-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-07 Thread alen . alen 

**Did anyone else check out AORTA or review its code?


One way for non coders to review it is to observe if the rulesets
it creates meets comprehensive expectations and makes sense.


I think these are its rules, copied from aorta.c, any opinions from experts?


const char *aorta_rules[] =
{
// create an aorta chain inside the nat table

"-t nat -N aorta",

// DNS queries for onion addresses are resolved to an address in the
// TOR_ONION_NETWORK range. traffic in this network must always be
// processed by the local Tor daemon

"-t nat -A aorta -p tcp -m tcp -d " TOR_ONION_NETWORK " -j  
REDIRECT --to-ports " TOR_TCP_PORT,


// do not touch non-routable addresses, except for DNS traffic

"-t nat -A aorta -d 127.0.0.0/8-p udp -m udp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 127.0.0.0/8-p tcp -m tcp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 10.0.0.0/8 -p udp -m udp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 10.0.0.0/8 -p tcp -m tcp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 192.168.0.0/16 -p tcp -m tcp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 172.16.0.0/12  -p udp -m udp ! --dport 53 -j RETURN",
"-t nat -A aorta -d 172.16.0.0/12  -p tcp -m tcp ! --dport 53 -j RETURN",

// redirect to local Tor daemon

"-t nat -A aorta -p tcp -m tcp -j REDIRECT --to-ports " TOR_TCP_PORT,
"-t nat -A aorta -p udp -m udp --dport 53 -j REDIRECT --to-ports  
" TOR_DNS_PORT,


// output traffic from processes inside our cgroup is processed  
by aorta chain


"-t nat -A OUTPUT -m cgroup --cgroup " AORTA_CGROUP_CLASSID " -j aorta",
0
};





-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-02 Thread intrigeri 
Rob van der Hoeven:
> Except for programs that clone an already running instance the
> interception and redirection of AORTA *should* be guaranteed.
> On my Debian system, programs like Firefox and Chromium do not work
> with TorSocks. For AORTA I haven't been able to find a program that
> does not work under AORTA.

If I wanted to find another type of applications that AORTA does not
manage to torify, I would look for programs whose main executable
merely triggers startup of the main program via D-Bus activation (e.g.
those started with gapplication).

Cheers,
-- 
intrigeri
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-02 Thread Rob van der Hoeven 

> Note to the author of AORTA (Rob van der Hoeven), I've had AORTA to  
> work on CentOS 7 which shows a kernel version 3.10 but RedHat often  
> backports lots of features into older versioned software. This
> might be worth noting on the webpage.
> 

Well, the important thing is net_class cgroup support. This support was
*officially* added to Linux kernels >= 3.14

> **Did anyone else check out AORTA or review its code? Not so much a  
> coder here, I would like to listen to community response/review of  
> this tool.

I would like some community response/review too ;-)

> 
> I had one (chroot?) situation it worked better than Torsocks. But the
> author doesn't go into detail about his technique of Torification
> vs.Torsocks. How does it work? Why is it supposed to work under more 
> situations?

TorSocks preloads a DLL that contains all the TCP/DNS functions from
the normal c library. This makes the program use the TorSocks functions
instead of the c library functions. This is the "old" way of
interception and takes place in user space.

AORTA intercepts and redirects TCP/DNS traffic inside kernel space.
What AORTA does is not visible to the program, and also works with
statically linked programs. AORTA is a much more simple program (thanks
to the hard work of the kernel en iptables developers). Except for
programs that clone an already running instance the interception and
redirection of AORTA *should* be guaranteed. NOTE *should* because
AORTA is a new program that has not undergone the same testing that
TorSocks has. Note also that I did test AORTA on different Linux
distributions (Debian, Unbuntu, Mint, Arch Linux) using a wide range of
programs.

On my Debian system, programs like Firefox and Chromium do not work
with TorSocks. For AORTA I haven't been able to find a program that
does not work under AORTA. Please let me know if you have a program
that does not work with AORTA.

> 
> Also wonder, what exactly the software does when testing if "Tor  
> handles all Internet traffic"? Is it necessary, what are the  
> consequences of using -c to disable the test?

The test resolves an .onion address and connects to it. This test only
succeeds if DNS and TCP traffic are routed through the Tor network.
Normally this test will always succeed but it can take a long time. For
this I made the test optional (but not by default).

Regards,

Rob van der Hoeven, 
author of AORTA

https://hoevenstein.nl

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] AORTA - others tried it?

2018-02-01 Thread grarpamp 
On Thu, Feb 1, 2018 at 7:20 PM,   wrote:
> https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs

> How does it work?

The underlying tech is kernel facilities and filters like pf / ipfw / nftables.

For Linux see...
https://wikipedia.org/wiki/Cgroups
https://www.spinics.net/lists/netdev/msg264727.html

> **Did anyone else check out AORTA or review its code?

One way for non coders to review it is to observe if the rulesets
it creates meets comprehensive expectations and makes sense.

You'd need to read the manpages for the filter in question.

> Why is it supposed to work under more situations?

Kernel packet filters have rule over userland software / libraries / users.

Example:
If you compile tor or telnet statically, you can't torsocks them,
but you can aorta them.

Aorta won't work unless you're running a supported Linux kernel.

Torsocks is more platform independant so it works on BSD's.

Or users can write similar packet rules on their BSD boxes
to effectively do what aorta does on Linux.

Whonix and various VM solutions do similar things.

> Also wonder, what exactly the software does when testing if "Tor handles all
> Internet traffic"?

Tries to resolve and connect to an onion, prints results, exit on fail.

> What are the consequences of using -c to disable the test?

Runs your app without such test first.

Something like that, read the above aorta link and aorta.c for specifics.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] AORTA - others tried it?

2018-02-01 Thread alen . alen 

I ran across AORTA as a potentially improved replacement for Torsocks.

https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs

Note to the author of AORTA (Rob van der Hoeven), I've had AORTA to  
work on CentOS 7 which shows a kernel version 3.10 but RedHat often  
backports lots of features into older versioned software. This might  
be worth noting on the webpage.


**Did anyone else check out AORTA or review its code? Not so much a  
coder here, I would like to listen to community response/review of  
this tool.


I had one (chroot?) situation it worked better than Torsocks. But the  
author doesn't go into detail about his technique of Torification vs.  
Torsocks. How does it work? Why is it supposed to work under more  
situations?


Also wonder, what exactly the software does when testing if "Tor  
handles all Internet traffic"? Is it necessary, what are the  
consequences of using -c to disable the test?




-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk