[tor-bugs] #18693 [Tor]: New SOCKS port restriction to only allow connections to .onion
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 5 07:46:15 UTC 2016
#18693: New SOCKS port restriction to only allow connections to .onion
---------------------------+------------------------------------
Reporter: ioerror | Owner:
Type: enhancement | Status: needs_review
Priority: Very Low | Milestone: Tor: 0.2.9.x-final
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, socks | Actual Points: 6 hours
Parent ID: | Points: small-remaining
Reviewer: dgoulet | Sponsor:
---------------------------+------------------------------------
Comment (by special):
6865f70446fa7f62e2d5dbb5a0691c673ec6eb33
nitpick to tor.1.txt: you specifically refer to SOCKS5, but these flags
also apply for SOCKS4a
> + log_warn(LD_CONFIG, "You have a %sPort entry with DNSRequest
enabled, "
> + "but IPv4 and IPv6 disabled; DNS-based sites won't
work.",
> + portname);
This is a valid configuration for a SOCKS port that only handles RESOLVE
requests, isn't it?
f63b322a77e41942546675f5229e134f50fc4b63
So if I understand correctly, this is a behavior change: NATD and Trans
ports will no longer allow IPv6 traffic by default. Is that right?
26a041a71cb62708c458e61f09eb9512d75ae074
5af508e2b7e7c87bb04d4987a5e4d9063ebd9e41
a54bee889ed026e341ae945c65a4869080bbbaff
81b8a2b60f2f1cfcde86e3f3ffe9e9b6d8a895f7
OK
eafe73e6f2ba821ad465740ff7ea7e4b6fbabd11
Log message should be using safe_str_client. Also, this one is LD_NET, but
the others were LD_APP.
--
I really wish we had automated tests to make sure connections actually
fail when the port policy should reject them. I guess that might be hard
to do right now.
Code looks ok to me other than the above. Haven't tested it myself yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18693#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list