<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 05/03/11 22:35, <a class="moz-txt-link-abbreviated" href="mailto:tor@lists.grepular.com">tor@lists.grepular.com</a> wrote:
<blockquote cite="mid:4DC06703.2090309@lists.grepular.com"
type="cite">
<pre wrap="">On 03/05/2011 20:02, Jerzy Ćogiewa wrote:
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.androidzoom.com/android_applications/communication/orbot-tor-on-android_jqte.html">http://www.androidzoom.com/android_applications/communication/orbot-tor-on-android_jqte.html</a>
interface is great -- why not something like this for mac (and even windows too) ? it would be handy on a mac to selectively torify apps!
</pre>
</blockquote>
<pre wrap="">
The reason it is possible on Android is because each app runs under it's
own user id.
netfilter/iptables has an "owner" module. Assuming you're using the Tor
TransPort directive on port 9040, you could torify uid 1234 under Linux
with this command (untested):
iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT
--to-ports 9040
Then the outgoing connections of any app running under uid 1234 are
forwarded to local port 9040 and "torrified."
This doesn't really translate to OSX or Windows or even normal Linux
desktop usage.
At least, this is how I'm assuming Orbot does it. I know this is how
DroidWall handles applying firewall rules for different apps...
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
tor-talk mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a>
</pre>
</blockquote>
Yep, this is exactly how Orbot does things (apart from the fallback
"proxy by port" option, which is sub-optimal).<br>
<br>
Jerzy: If you would like to learn more about that principle (and
also how it can - theoretically - be used on desktops), see
<a class="moz-txt-link-freetext" href="https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy">https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy</a>
.<br>
Unfortunately, in desktop systems, (nearly) all processes are
created by a small number of users, and while it's (at least for
GNU/Linux) possible to force every process - or at least all the
programs you call from your graphical menu - into its own UID, it'd
require a vast amount of modifications to things that shouldn't
concern Tor. The approaches I'm coming up with ad hoc are all so
horribly wrong, insecure and unportable that just thinking of some
fool implementing anything of that caliber makes me reach for the
clue-by-four.<br>
<br>
It might be possible - since there are firewalls for both Mac and
Windows that can filter by application (Apple calls it "Application
Firewall" and I remember various Windows FWs having such
functionality), they should also be able to redirect them. It might
be possible to implement an application based redirection on Linux,
but probably only in a very crude manner (there's a project called
TuxGuardian which apparently uses application based filtering, but
it looks unmaintained, last update was 5 years ago).<br>
<br>
To sum it up (from my half-informed point of view): It's
theoretically possible, but the effort required for this usability
enhancement would simply be too much. As all multi-platform tools,
Tor tries to use common designs and functions across all systems and
only employ platform-specific glue when necessary, and there is no
common framework for application-based filtering/redirection.<br>
</body>
</html>