Re: No more proxy on ftp(1)?
arrowscr...@mail.com writes: > Thank you for your help Stuart. I'll just use curl for now. Actually use torsocks seems a bad practice for any situation, I should just set a transparent proxy (but the pf.conf > from torproject.org does not work, I'll need to write is myself some day). > Thanks again. For the benefit of your lazy bone, and anyone else who comes across it, here's the configuration I worked out. In OpenBSD's favour, I managed this despite being relatively new to OpenBSD administration and completely new to pf, so I don't know if it's 'right', but it is 'successful'. Tor router sits on a lan as any other server would at 10.42.0.8 and the subnet it anonymises at 10.172.192.2. 10.172.192.0/24 route through it (enforced by the switch/bridge they all plug in to). # cat /etc/pf.conf # pass in quick inet proto tcp from 10.172.192.0/24 to 10.172.192.2 port tor pass in quick inet proto udp from 10.172.192.0/24 to port domain pass in quick inet from 10.172.192.0/24 divert-to 127.0.0.1 port transtor pass out quick inet from 10.172.192.0/24 divert-reply block in quick inet from 10.172.192.0/24 # getent services tor transtor tor9050/tcp transtor 9040/tcp # grep -v ^# /etc/tor/torrc | hand-grep _RELEVANT_LINES_ OutboundBindAddress 10.42.0.8 # Bind to the lan for outgoing connections SocksPort 127.0.0.1:9050 SocksPort 10.172.192.2:9050 SocksPolicy accept 127.0.0.0/8 SocksPolicy accept 10.172.192.0/24 SocksPolicy reject * VirtualAddrNetworkIPv4 10.127.0.0/16 AutomapHostsOnResolve 1 TransPort 127.0.0.1:9040 TransPort 10.172.192.2:9040 DNSPort 127.0.0.1:53 DNSPort 10.172.192.2:53 TransProxyType pf-divert Cheers, Matthew
Re: No more proxy on ftp(1)?
On Mon, Feb 01, 2016 at 04:33:00AM +0100, arrowscr...@mail.com wrote: > Thank you for your help Stuart. I'll just use curl for now. Actually use > torsocks seems a bad practice for any situation, I should just set a > transparent proxy (but the pf.conf from torproject.org does not work, I'll > need to write is myself some day). > Thanks again. netcat uses socks, so maybe ftp could benefit from its code. j.
Re: No more proxy on ftp(1)?
mail.com> writes: > > Thanks. > Yes, it does core dump on "Abort trap". > Any idea on how I can force ftp(1) to socks5? The man page say nothing about proxy other than http or ftp, and I > have not set a transparent proxy yet... > > Good to know that pledge is doing his job. So far, no other problem with the transition between 5.8 to 5.9. > > Confirmed, this is definitely the cause. In particular, here torsocks is trying to fetch the username using getpwuid() which is not permitted by most pledges. Torsocks works by overriding libc functions with its own versions using an LD_PRELOAD wrapper. This could be extended to "support" pledge by overriding pledge() as well - either replace it with a dummy noop, or with something that modifies the pledge to add the functions it requires. Alternatively adjust the torsocks code to avoid doing the getpwuid() calls, at least if the alternative methods to provide the username have been used. There may be other calls which get killed by *some* pledges, but just avoiding the getpwuid does at least seem to get things working with ftp(1). ftp(1) doesn't support socks5 itself. Alternatively to avoid modifying torsocks and fix things for the use case you mention, you could use curl (which does support socks), with a wrapper script to let it be used from FETCH_CMD.
Re: No more proxy on ftp(1)?
Thank you for your help Stuart. I'll just use curl for now. Actually use torsocks seems a bad practice for any situation, I should just set a transparent proxy (but the pf.conf from torproject.org does not work, I'll need to write is myself some day). Thanks again.
No more proxy on ftp(1)?
Hi, I just did the upgrade to 5.9 -current and found that socks connections don't work for ftp(1) and, of course, the perl scripts using it (pkg_add). Is this a expected behaviour? I'm using the "torsocks" wrapper to force socks to localhost:9050. This have something to do with new pledge privsep?
Re: No more proxy on ftp(1)?
On 2016-01-29, arrowscr...@mail.comwrote: > Hi, > I just did the upgrade to 5.9 -current and found that socks connections don't > work for ftp(1) and, of course, the perl scripts using it (pkg_add). Is this > a expected behaviour? > I'm using the "torsocks" wrapper to force socks to localhost:9050. > > This have something to do with new pledge privsep? Probably yes. It wouldn't be a big surprise if LD_PRELOAD wrappers like torsocks use system calls beyond what has been pledge()d by the program. In many cases this will result in the program being killed.
Re: No more proxy on ftp(1)?
Thanks. Yes, it does core dump on "Abort trap". Any idea on how I can force ftp(1) to socks5? The man page say nothing about proxy other than http or ftp, and I have not set a transparent proxy yet... Good to know that pledge is doing his job. So far, no other problem with the transition between 5.8 to 5.9.