On Sat, Jan 25, 2020 at 01:30:34PM +0000, Forst wrote: > In that case, what would be best approach to achieve that all traffic is > forced though Tor and direct internet connection blocked, preferably even > if/when the system is breached?
Here are two approaches that are worth exploring: (A) Set the iptables rules so only the tor process can get through the firewall. This is how Tails does it, I believe. This way you're firewalling based on what user is trying to make the connection, rather than what destination they're trying to reach. More info at https://tails.boum.org/contribute/design/Tor_enforcement/ (B) Pick a bridge that you know you like, and configure your Tor to use that, and configure your firewall to only allow connections to that bridge. More info on this approach at https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.html https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.html ("The best design we've been able to come up with is one that forces you to be using Tor on your side, and only allows your traffic through if it's coming from Tor.") I guess there is also (C) do both. --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk