On 5/21/2014 7:38 PM, Moritz Bartl wrote:
The problem with selective filters for outgoing traffic is that Tor needs to be able to connect to all other Tor relays, some of which use non-standard ports.
One could add a rule to the OUTPUT chain that allows all traffic from the tor user (or uid). This allows one to maintain non-tor related outbound rules without interfering with tor itself. On a hypothetical system where the uid under which tor runs is 501 an iptables rule like this should work: iptables -I OUTPUT -p tcp -m owner --uid-owner 501 -j ACCEPT One resource for ideas on how to harden a system is the NSA. I for one have referenced these two docs on more than one occasion (clearnet links) and they can be adopted conceptually into many other distros: http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf -- Morgan Smith | IntersafeIT Phone/Fax: +1 (888) 623-7444 morgan@intersafeit.com www.intersafeit.com | intersafewhe4eoy.onion Twitter: @IntersafeIT | GnuPG ID: 9CDD26C7