[tor-bugs] #7590 [Tor]: [PATCH] New option LocalOutboundBindAddress
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 2 02:16:16 UTC 2012
#7590: [PATCH] New option LocalOutboundBindAddress
-------------------------+--------------------------------------------------
Reporter: ac | Owner:
Type: enhancement | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-client | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by ac):
Replying to [comment:4 nickm]:
> * So, the idea is that you've got a hidden service on 127.0.0.1 and
you want to tell when Tor is connecting to it vs when some other thing is
connecting to it. Why would you do that? Is this so you can have the
server for the HS treat anonymous connections differently from local admin
connections or something?
Basically, yes. More specifically, in my personal case, I have hidden
services forwarding to ssh and apache. When I check my apache logs, or
log in via ssh and type 'w', I want to see connections from 'tor' rather
than 'localhost'. And when I log in the next time I want it to say "last
login from tor". So my own motivation is solely logging-related. But it
would also be useful to have distinct security rules for connections from
Tor in one's apache configuration, and such.
> * If this is the application, maybe this should be a hidden-service-
specific feature rather than a local-specific feature. IOW, maybe it
should be HSOutboundBindAddress instead?
I don't know whether you're talking about the name, or the behavior. At
the moment, the name matches the behavior: OutboundBindAddress governs
_all_ connections except local connections; LocalOutboundBindAddress
governs _all_ connections not governed by OutboundBindAddress. The
combination of the two allows Tor's outbound address to be configured in
every case where Tor makes a connection (at least, using
connection_connect()).
It is possible for Tor to make loopback connections that are not
connections to hidden services. For example, someone could set
ExitPolicyRejectPrivate to 0. The current patch would affect the
connections enabled by that setting. To me, that behavior seems more
useful than limiting the effect to hidden services would. Someone with
"ExitPolicyRejectPrivate 0" might find LocalOutboundBindAddress useful
even without having any hidden services enabled.
Tor might also make loopback connections in other situations.
> * Is there a reason to make this a per-HS configuration item, so that
different hidden services get a different address, or is that overkill?
A per-HS outbound bind address might make sense (in fact, I noticed it's
mentioned in doc/TODO.future). This would mean, I presume, specifying the
bind address as a parameter to connection_connect(), with the caller of
that function determining the purpose of the connection and applying the
appropriate fine-grained option. But this functionality would make the
most sense as an override to the current (and proposed) global bind
address settings.
Even with per-HS bind address settings, the global settings would still be
useful as defaults, or for any case where there is no finer-grained bind
address option (e.g., localhost exits with ExitPolicyRejectPrivate), or
where the administrator wanted to ensure Tor would not make connections
from 127.0.0.1 without having to specify a setting for each type of
connection made by Tor.
(Also, a per-HS outbound bind address ought to override not just
LocalOutboundBindAddress, but also OutboundBindAddress. The HS might not
be local.)
> Some notes on the code:
OK, I made that change. I also fixed a mistake where
V(LocalOutboundBindAddress) was out of alphabetical order. I attached the
patch.
(The attached patch _replaces_ the patches previously posted to the
mailing list.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7590#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list