[tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu May 3 17:15:44 UTC 2012
#5741: TBB proxy bypass: Some DNS requests not going through Tor
-----------------------------------------+----------------------------------
Reporter: cypherpunks | Owner: erinn
Type: defect | Status: closed
Priority: blocker | Milestone:
Component: Tor bundles/installation | Version:
Resolution: fixed | Keywords: MikePerry201205
Parent: | Points: 3
Actualpoints: 3 |
-----------------------------------------+----------------------------------
Comment(by unknown):
This is not the first time some rarely triggered bug in Firefox causes Tor
to be bypassed, and certainly will not be the last one. Since these bugs
have a very high security impact I propose they are guarded against. How
about running Firefox inside some kind of firewall that drops all network
packets not going to Tor?
You can prevent any potential DNS-leakage with iptables (Debian GNU/Linux
way):
Edit /etc/login.defs, Replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD
SHA-512"
Run command for create tbb-group with password:
{{{addgroup --system tbb-tor}}}
Add this rules to your firewall:
{{{
#tor anonymous users;
DIRECT_OUT_GID="tbb-tor" #group id for TBB
TOR_UID="debian-tor" #system tor (if you use it)
#anonymous user runs programs with transparent torification to system tor
#(if you use it):
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymoususer !
--gid-owner $DIRECT_OUT_GID -m tcp --syn -j REDIRECT --to-ports 9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner anonymoususer !
--gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner anonymoususer ! --gid-
owner $DIRECT_OUT_GID -j DNAT --to-destination 127.0.0.1
#Accept output for system-tor itself (if you use it)
$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
#Direct output for TBB without udp and tcp 53 port
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID ! -p tcp -j
REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -p tcp --dport
53 -j
REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -j ACCEPT
}}}
Run your tor-browser with sg from x-terminal emulator:
{{{sg tbb-tor -c start-tor-browser.sh}}}
Unfortunately, this is not an ideal solution for transparent torification
TBB. All (but udp and dns-tcp) tcp trafic goes away. Using unix groups is
not a way to separate start-script, vidalia, browser and TBB-tor itself. A
ticket with more fine-tuned firewall solution is still desirable
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5741#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list