Re: [tor-talk] AORTA - others tried it?
On my Debian system, programs like Firefox and Chromium do not work > with TorSocks. For AORTA I haven't been able to find a program that > does not work under AORTA. Please let me know if you have a program > that does not work with AORTA. Well, I'm not sure what is cause this: $ aorta -c -t telnet abcd1234abcd1234.onion 80 WARNING NOT testing if Tor handles all Internet traffic. RUNNING telnet abcd1234abcd1234.onion 80 Trying 10.216.233.115... telnet: connect to address 10.216.233.115: Connection timed out Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f... telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f: Invalid argument AORTA CLOSED ... OTOH this works fine: $ torsocks telnet abcd1234abcd1234.onion 80 Trying 127.39.20.0... Connected to abcd1234abcd1234.onion. Escape character is '^]'. Why is AORTA failing, also why is result of trying to connect on IPV6 "Invalid argument"? This is strange in multiple ways: First the address. abcd1234abcd1234.onion cannot be a *real* onion No, sorry, it's changed from the real address. The point was to observe aorta timing out a connection while torsocks connecting ok. I found unpredictable. But happening enough to create doubt in what aorta is doing. I got a telnet reply when i tried to connect to it with AORTA. The connection was closed immediate after i got the "Escape character is" message. With torsocks the address was not resolved and no connection was established. Well, you have discrepancies also. Why is the behavior different? Aren't both connections going through same tor? About the IPV6 address in your AORTA session. I do not know how you got this address. Doesn't telnet look for IPV6 if IPV4 fails? Where it got lookup, I can't say. What does aorta do when IPV6 is requested? AORTA should only resolve to an IPV4 address in the 10.192.0.0/10 range. - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
> On 10 Feb 2018, at 10:15, Rob van der Hoevenwrote: > > On my Debian system, programs like Firefox and Chromium do not work >> >> Well, I'm not sure what is cause this: >> >> $ aorta -c -t telnet abcd1234abcd1234.onion 80 > First the address. abcd1234abcd1234.onion cannot be a *real* onion > address because onion addresses are supposed to be unreadable :-) This cannot be a real onion address because it contains the character "1" which is impossible for real onions. "1" is specifically not a character used by Base32 encoding used by onion addresses. https://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet Since the domain name is obviously incorrect for the .onion TLD it's questionable if a tool should even try to connect to it. Likewise you'd refuse any .onion domain that isn't of exactly 16 (v2 onion) or 54 characters (v3 onion) in length. Maybe some systems that usually resolve hostnames through tor, fall back to a local or another resolver when they receive an NX as a fallback. Best regards MacLemon signature.asc Description: Message signed with OpenPGP -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
On my Debian system, programs like Firefox and Chromium do not work > > with TorSocks. For AORTA I haven't been able to find a program that > > does not work under AORTA. Please let me know if you have a program > > that does not work with AORTA. > > Well, I'm not sure what is cause this: > > $ aorta -c -t telnet abcd1234abcd1234.onion 80 > > WARNING NOT testing if Tor handles all Internet traffic. > > RUNNING telnet abcd1234abcd1234.onion 80 > Trying 10.216.233.115... > telnet: connect to address 10.216.233.115: Connection timed out > Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f... > telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f: > Invalid argument > > AORTA CLOSED ... > > OTOH this works fine: > > $ torsocks telnet abcd1234abcd1234.onion 80 > Trying 127.39.20.0... > Connected to abcd1234abcd1234.onion. > Escape character is '^]'. > > Why is AORTA failing, also why is result of trying to connect on > IPV6 > "Invalid argument"? This is strange in multiple ways: First the address. abcd1234abcd1234.onion cannot be a *real* onion address because onion addresses are supposed to be unreadable :-) I suspected it to be some kind of test address so i tried to find it in the Tor source code. No luck. But I got a telnet reply when i tried to connect to it with AORTA. The connection was closed immediate after i got the "Escape character is" message. With torsocks the address was not resolved and no connection was established. About the IPV6 address in your AORTA session. I do not know how you got this address. AORTA should only resolve to an IPV4 address in the 10.192.0.0/10 range. Regards, Rob. https://hoevenstein.nl -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
TorSocks preloads a DLL that contains all the TCP/DNS functions from the normal c library. This makes the program use the TorSocks functions instead of the c library functions. This is the "old" way of interception and takes place in user space. AORTA intercepts and redirects TCP/DNS traffic inside kernel space. What AORTA does is not visible to the program, and also works with statically linked programs. AORTA is a much more simple program (thanks to the hard work of the kernel en iptables developers). Except for programs that clone an already running instance the interception and redirection of AORTA *should* be guaranteed. NOTE *should* because AORTA is a new program that has not undergone the same testing that TorSocks has. Note also that I did test AORTA on different Linux distributions (Debian, Unbuntu, Mint, Arch Linux) using a wide range of programs. On my Debian system, programs like Firefox and Chromium do not work with TorSocks. For AORTA I haven't been able to find a program that does not work under AORTA. Please let me know if you have a program that does not work with AORTA. Well, I'm not sure what is cause this: $ aorta -c -t telnet abcd1234abcd1234.onion 80 WARNING NOT testing if Tor handles all Internet traffic. RUNNING telnet abcd1234abcd1234.onion 80 Trying 10.216.233.115... telnet: connect to address 10.216.233.115: Connection timed out Trying fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f... telnet: connect to address fa93:ac5e:c801:b104:ad21:2e27:0f18:b4f: Invalid argument AORTA CLOSED ... OTOH this works fine: $ torsocks telnet abcd1234abcd1234.onion 80 Trying 127.39.20.0... Connected to abcd1234abcd1234.onion. Escape character is '^]'. Why is AORTA failing, also why is result of trying to connect on IPV6 "Invalid argument"? - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
**Did anyone else check out AORTA or review its code? One way for non coders to review it is to observe if the rulesets it creates meets comprehensive expectations and makes sense. I think these are its rules, copied from aorta.c, any opinions from experts? const char *aorta_rules[] = { // create an aorta chain inside the nat table "-t nat -N aorta", // DNS queries for onion addresses are resolved to an address in the // TOR_ONION_NETWORK range. traffic in this network must always be // processed by the local Tor daemon "-t nat -A aorta -p tcp -m tcp -d " TOR_ONION_NETWORK " -j REDIRECT --to-ports " TOR_TCP_PORT, // do not touch non-routable addresses, except for DNS traffic "-t nat -A aorta -d 127.0.0.0/8-p udp -m udp ! --dport 53 -j RETURN", "-t nat -A aorta -d 127.0.0.0/8-p tcp -m tcp ! --dport 53 -j RETURN", "-t nat -A aorta -d 10.0.0.0/8 -p udp -m udp ! --dport 53 -j RETURN", "-t nat -A aorta -d 10.0.0.0/8 -p tcp -m tcp ! --dport 53 -j RETURN", "-t nat -A aorta -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN", "-t nat -A aorta -d 192.168.0.0/16 -p tcp -m tcp ! --dport 53 -j RETURN", "-t nat -A aorta -d 172.16.0.0/12 -p udp -m udp ! --dport 53 -j RETURN", "-t nat -A aorta -d 172.16.0.0/12 -p tcp -m tcp ! --dport 53 -j RETURN", // redirect to local Tor daemon "-t nat -A aorta -p tcp -m tcp -j REDIRECT --to-ports " TOR_TCP_PORT, "-t nat -A aorta -p udp -m udp --dport 53 -j REDIRECT --to-ports " TOR_DNS_PORT, // output traffic from processes inside our cgroup is processed by aorta chain "-t nat -A OUTPUT -m cgroup --cgroup " AORTA_CGROUP_CLASSID " -j aorta", 0 }; - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
Rob van der Hoeven: > Except for programs that clone an already running instance the > interception and redirection of AORTA *should* be guaranteed. > On my Debian system, programs like Firefox and Chromium do not work > with TorSocks. For AORTA I haven't been able to find a program that > does not work under AORTA. If I wanted to find another type of applications that AORTA does not manage to torify, I would look for programs whose main executable merely triggers startup of the main program via D-Bus activation (e.g. those started with gapplication). Cheers, -- intrigeri -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
> Note to the author of AORTA (Rob van der Hoeven), I've had AORTA to > work on CentOS 7 which shows a kernel version 3.10 but RedHat often > backports lots of features into older versioned software. This > might be worth noting on the webpage. > Well, the important thing is net_class cgroup support. This support was *officially* added to Linux kernels >= 3.14 > **Did anyone else check out AORTA or review its code? Not so much a > coder here, I would like to listen to community response/review of > this tool. I would like some community response/review too ;-) > > I had one (chroot?) situation it worked better than Torsocks. But the > author doesn't go into detail about his technique of Torification > vs.Torsocks. How does it work? Why is it supposed to work under more > situations? TorSocks preloads a DLL that contains all the TCP/DNS functions from the normal c library. This makes the program use the TorSocks functions instead of the c library functions. This is the "old" way of interception and takes place in user space. AORTA intercepts and redirects TCP/DNS traffic inside kernel space. What AORTA does is not visible to the program, and also works with statically linked programs. AORTA is a much more simple program (thanks to the hard work of the kernel en iptables developers). Except for programs that clone an already running instance the interception and redirection of AORTA *should* be guaranteed. NOTE *should* because AORTA is a new program that has not undergone the same testing that TorSocks has. Note also that I did test AORTA on different Linux distributions (Debian, Unbuntu, Mint, Arch Linux) using a wide range of programs. On my Debian system, programs like Firefox and Chromium do not work with TorSocks. For AORTA I haven't been able to find a program that does not work under AORTA. Please let me know if you have a program that does not work with AORTA. > > Also wonder, what exactly the software does when testing if "Tor > handles all Internet traffic"? Is it necessary, what are the > consequences of using -c to disable the test? The test resolves an .onion address and connects to it. This test only succeeds if DNS and TCP traffic are routed through the Tor network. Normally this test will always succeed but it can take a long time. For this I made the test optional (but not by default). Regards, Rob van der Hoeven, author of AORTA https://hoevenstein.nl -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] AORTA - others tried it?
On Thu, Feb 1, 2018 at 7:20 PM,wrote: > https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs > How does it work? The underlying tech is kernel facilities and filters like pf / ipfw / nftables. For Linux see... https://wikipedia.org/wiki/Cgroups https://www.spinics.net/lists/netdev/msg264727.html > **Did anyone else check out AORTA or review its code? One way for non coders to review it is to observe if the rulesets it creates meets comprehensive expectations and makes sense. You'd need to read the manpages for the filter in question. > Why is it supposed to work under more situations? Kernel packet filters have rule over userland software / libraries / users. Example: If you compile tor or telnet statically, you can't torsocks them, but you can aorta them. Aorta won't work unless you're running a supported Linux kernel. Torsocks is more platform independant so it works on BSD's. Or users can write similar packet rules on their BSD boxes to effectively do what aorta does on Linux. Whonix and various VM solutions do similar things. > Also wonder, what exactly the software does when testing if "Tor handles all > Internet traffic"? Tries to resolve and connect to an onion, prints results, exit on fail. > What are the consequences of using -c to disable the test? Runs your app without such test first. Something like that, read the above aorta link and aorta.c for specifics. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] AORTA - others tried it?
I ran across AORTA as a potentially improved replacement for Torsocks. https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs Note to the author of AORTA (Rob van der Hoeven), I've had AORTA to work on CentOS 7 which shows a kernel version 3.10 but RedHat often backports lots of features into older versioned software. This might be worth noting on the webpage. **Did anyone else check out AORTA or review its code? Not so much a coder here, I would like to listen to community response/review of this tool. I had one (chroot?) situation it worked better than Torsocks. But the author doesn't go into detail about his technique of Torification vs. Torsocks. How does it work? Why is it supposed to work under more situations? Also wonder, what exactly the software does when testing if "Tor handles all Internet traffic"? Is it necessary, what are the consequences of using -c to disable the test? - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk