On Fri, Feb 14, 2014 at 09:37:51AM +0100, Lunar wrote:
We solved it with David. The problem was that the IPv6 address was given to registrators. Adding `-4` to the flashproxy-client flags in torrc made it work.
In the process, we discovered that NAT-PMP is having really weird behaviour and should probably be discarded.
I'm getting ready another set of bundles, without libnatpmp and with -4 by default.
- tor-fw-helper currently registers the port redirection under the label “Tor relay”. That's OK if used by a relay operator on their own network, but not in the use case where Tor is banned and you want to conceal its usage.
Good point. It's not configurable at runtime as tor-fw-helper is now.
- There's no unregistration process when the browser is shut down, so the ports will stay open as until the router is rebooted (or at least that was my impression). Probably we would like to fix that as browsers can be restarted several times in course of a single day.
Thank you for noticing this problem. I overlooked it because I assumed all the port forwardings were temporary; tor has code to call tor-fw-helper periodically. But you are right; in fact in libminiupnpc 1.5, the UPNP_AddPortMapping function doesn't even provide a way to set the time limit (NewLeaseDuration), and with libminiupnpc 1.6, tor-fw-helper always passes a value of 0 ("forever"). https://gitweb.torproject.org/tor.git/blob/745434d29a92da682f4c8d8fa70a56386...
I configured flashproxy-client to listen on an emphemeral port in these bundles (in normal bundles it listens on the static port 9000). It means that a new permanent hole will be opened in the user's firewall every time they restart their browser. (Permanent until they reboot their router, I guess.)
If you tested these bundles and now have unexpected port forwardings, you can (reboot your router or) run these commands from the miniupnpc package: upnpc -l # lists port forwardings upnpc -d X tcp # deletes forwarding for port X
Alternatively, we could specify a static port (:9000 instead of :0 in the ClientTransportPlugin line). Then at least it would be just *one* port open permanently. But one of the nice things about automatic port forwarding was that it would be possible not to use a fixed (more easily blockable) port number.
David Fifield