[tor-bugs] #7590 [Core Tor/Tor]: [PATCH] New option LocalOutboundBindAddress
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 28 13:24:13 UTC 2017
#7590: [PATCH] New option LocalOutboundBindAddress
-------------------------------------------------+-------------------------
Reporter: ac | Owner: (none)
Type: enhancement | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| 0.3.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-client tor-hs hs-integration | Actual Points:
hs-app-support |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by ac):
The workarounds are insufficient because:
1. `iptables`, while fully-functional, requires kernel access that is not
always available. (It is not available to me in an actual VM that I rent
where I do, in fact, run `tor`.)
I wouldn't be surprised if (e.g.) Windows didn't even have this
capability exposed to users.
2. Reconfiguring every single daemon to each individually work around the
lack of functionality is inadequate and would require patching the code of
some of those daemons.
For example, I currently have hidden services `postfix`, `ssh`, and
`apache`. Apache runs several CGI type programs, for example the
configuration interface for `cups`.
`cups` and `postfix`, by default, grant privileged access to connections
from IP `localhost`. So you cannot expose them to tor connections through
that address, without messing around with them. `cups` is a reverse proxy
to a `lighttpd` daemon so you can mess around with the `lighttpd`
configuratoin file in addition to the `apache` one. But what about
`postfix`? You can probably make it listen on random additional ports or
addresses, but can you configure it so that it overrides the trust default
based on its own *listening* address? Such capability cannot be assumed
to be present in most software, even if it is possible to do with
`apache`.
`ssh` does not grant privileged access to local connections by default,
but I personally do not want anonymous connections from all-and-sundry
showing up in output from `w` or in logs as `localhost` when they are
fundamentally the polar opposite of that. Again, you cannot hope to
configure `ssh` to do this based on its own *listening* address or port.
Even though ssh will listen on any number of addresses or ports, it does
not let you change how it logs the remote IP conditional on its local
address (why would it?).
Even if all those daemons supported the necessary workarounds -- which
they don't -- I would have to mess with 4 different configuration file
formats (`lighttpd`, `postfix`, `apache`, `ssh`) trying to get them to
behave the way I want conditional on something (the listening port) that
normally isn't a condition of behavior, so it's a giant complicated mess.
Better to use `iptables`, or patch `tor`.
Certainly I wouldn't be trying to get the necessary patch into `postfix`
or `ssh` to work around this, because such a patch would make no sense.
Unlike this patch, which makes perfect sense and does a completely
straightforward and sensible thing: sets the bind address on an outgoing
connection to whatever the user specifies.
It just makes sense. You are making a connection, you have an opportunity
to set the bind address, you give it to the user as a configuration
option. Simple, straightforward, sensible, standard practice, no reason
to think twice.
There's no reason this can't be done in 2 weeks, or 2 days, or 2 hours.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7590#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list