[Freedombox-discuss] Dev: Tor Transparent Proxy
On Fri, Aug 22, 2014 at 8:45 AM, Petter Reinholdtsen <pere at hungry.com> wrote:
> [James Valleroy]
>> One of the current TODO items for the 0.3 release is to add a "Route
>> all Traffic through Tor" option to Plinth . I've added the
>> necessary configuration on the Tor side in freedombox-setup :
>> VirtualAddrNetworkIPv4 10.192.0.0/10
>> AutomapHostsOnResolve 1
>> TransPort 127.0.0.1:9040
>> DNSPort 127.0.0.1:53
>> What we still need is a Plinth action to configure the firewall, to
>> route all traffic through the above ports. The Tor docs have
>> configuration examples for iptables , so we will need to do
>> something similar with firewalld.
> I would love to see this in place.
> But how will this affect UDP and ICMP (for example NTP and ping).
> Will those stop working when all traffic is routed through Tor?
> Should it?
> How will the Tor setup to listen to port 53 work with the already
> existing dnsmasq DNS server also trying the same? Which one get the
> port? Do they share it...
I did some testing using the "Local Redirection and Anonymizing
Middlebox" iptables configuration from the Tor docs. Both UDP and ping
stop working. NTP still seems to work though (at least ntp.test
passed). Perhaps we could have a "normal" setting that allows outgoing
UDP/ICMP, and a "paranoid" setting that blocks it?
Yes, it looks like dnsmasq and Tor are sharing port 53 (but bound to
# netstat -apen | grep ":53 "
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0
tcp6 0 0 :::53 :::* LISTEN 0
udp 0 0 192.168.10.113:53 0.0.0.0:* 0
udp 0 0 127.0.0.1:53 0.0.0.0:* 0
udp 0 0 0.0.0.0:53 0.0.0.0:* 0
udp6 0 0 :::53 :::* 0