Re: No more proxy on ftp(1)?

2016-02-01 Thread chohag 
arrowscr...@mail.com writes:
> Thank you for your help Stuart. I'll just use curl for now. Actually use
torsocks seems a bad practice for any situation, I should just set a
transparent proxy (but the pf.conf
> from torproject.org does not work, I'll need to write is myself some day).
> Thanks again.

For the benefit of your lazy bone, and anyone else who comes across it,
here's the configuration I worked out. In OpenBSD's favour, I managed
this despite being relatively new to OpenBSD administration and
completely new to pf, so I don't know if it's 'right', but it is
'successful'.

Tor router sits on a lan as any other server would at 10.42.0.8 and the
subnet it anonymises at 10.172.192.2. 10.172.192.0/24 route through it
(enforced by the switch/bridge they all plug in to).


# cat /etc/pf.conf
# 

pass in quick inet proto tcp from 10.172.192.0/24 to 10.172.192.2 port tor

pass in quick inet proto udp from 10.172.192.0/24 to port domain
pass in quick inet from 10.172.192.0/24 divert-to 127.0.0.1 port transtor
pass out quick inet from 10.172.192.0/24 divert-reply
block in quick inet from 10.172.192.0/24


# getent services tor transtor
tor9050/tcp
transtor   9040/tcp


# grep -v ^# /etc/tor/torrc | hand-grep _RELEVANT_LINES_
OutboundBindAddress 10.42.0.8 # Bind to the lan for outgoing connections

SocksPort 127.0.0.1:9050
SocksPort 10.172.192.2:9050
SocksPolicy accept 127.0.0.0/8
SocksPolicy accept 10.172.192.0/24
SocksPolicy reject *

VirtualAddrNetworkIPv4 10.127.0.0/16
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
TransPort 10.172.192.2:9040
DNSPort 127.0.0.1:53
DNSPort 10.172.192.2:53
TransProxyType pf-divert


Cheers,

Matthew

Re: No more proxy on ftp(1)?

2016-02-01 Thread Jiri B 
On Mon, Feb 01, 2016 at 04:33:00AM +0100, arrowscr...@mail.com wrote:
> Thank you for your help Stuart. I'll just use curl for now. Actually use 
> torsocks seems a bad practice for any situation, I should just set a 
> transparent proxy (but the pf.conf from torproject.org does not work, I'll 
> need to write is myself some day).
> Thanks again.

netcat uses socks, so maybe ftp could benefit from its code.

j.

Re: No more proxy on ftp(1)?

2016-01-31 Thread Stuart Henderson 
  mail.com> writes:

> 
> Thanks.
> Yes, it does core dump on "Abort trap".
> Any idea on how I can force ftp(1) to socks5? The man page  say nothing 
about proxy other than http or ftp, and I
> have not set a transparent proxy yet...
> 
> Good to know that pledge is doing his job. So far, no other problem with 
the transition between 5.8 to 5.9.
> 
> 


Confirmed, this is definitely the cause. In particular, here torsocks is 
trying to fetch the username using getpwuid() which is not permitted by most 
pledges.

Torsocks works by overriding libc functions with its own versions using an 
LD_PRELOAD wrapper. This could be extended to "support" pledge by overriding 
pledge() as well - either replace it with a dummy noop, or with something 
that modifies the pledge to add the functions it requires.

Alternatively adjust the torsocks code to avoid doing the getpwuid() calls, 
at least if the alternative methods to provide the username have been used. 
There may be other calls which get killed by *some* pledges, but just 
avoiding the getpwuid does at least seem to get things working with ftp(1).

ftp(1) doesn't support socks5 itself. Alternatively to avoid modifying 
torsocks and fix things for the use case you mention, you could use curl 
(which does support socks), with a wrapper script to let it be used from 
FETCH_CMD.

Re: No more proxy on ftp(1)?

2016-01-31 Thread arrowscript 
Thank you for your help Stuart. I'll just use curl for now. Actually use 
torsocks seems a bad practice for any situation, I should just set a 
transparent proxy (but the pf.conf from torproject.org does not work, I'll need 
to write is myself some day).
Thanks again.

No more proxy on ftp(1)?

2016-01-28 Thread arrowscript 
Hi,
I just did the upgrade to 5.9 -current and found that socks connections don't 
work for ftp(1) and, of course, the perl scripts using it (pkg_add). Is this a 
expected behaviour?
I'm using the "torsocks" wrapper to force socks to localhost:9050.

This have something to do with new pledge privsep?

Re: No more proxy on ftp(1)?

2016-01-28 Thread Stuart Henderson 
On 2016-01-29, arrowscr...@mail.com  wrote:
> Hi,
> I just did the upgrade to 5.9 -current and found that socks connections don't 
> work for ftp(1) and, of course, the perl scripts using it (pkg_add). Is this 
> a expected behaviour?
> I'm using the "torsocks" wrapper to force socks to localhost:9050.
>
> This have something to do with new pledge privsep?

Probably yes.

It wouldn't be a big surprise if LD_PRELOAD wrappers like torsocks
use system calls beyond what has been pledge()d by the program.
In many cases this will result in the program being killed.

Re: No more proxy on ftp(1)?

2016-01-28 Thread arrowscript 
Thanks.
Yes, it does core dump on "Abort trap".
Any idea on how I can force ftp(1) to socks5? The man page  say nothing about 
proxy other than http or ftp, and I have not set a transparent proxy yet...

Good to know that pledge is doing his job. So far, no other problem with the 
transition between 5.8 to 5.9.