[tor-dev] Help with pf and iOS

Eugene Fryntov e.fryntov at psiphon.ca
Fri Sep 28 20:10:12 UTC 2012 

The pf rules formatting is broken, here are the correct ones

table <self> const { self }

rdr on lo0 proto tcp from any to ! <self> -> 127.0.0.1 port 9040

#allow ssh on 22
pass in quick proto tcp from any to any port 22 pass out quick
proto tcp from any to any port 22

#allow root(tor) traffic
pass out on ! lo0 proto tcp all user root tag "allowed"
keep state

pass out on ! lo0 route-to lo0 \
proto tcp all\
! tagged "allowed" \
tag "intercepted" \
keep state

On Fri, Sep 28, 2012 at 3:41 PM, Eugene F. <e.fryntov at psiphon.ca> wrote:

> <sid77 at ...> writes:
>
> >
> > ----- Original Message ----- From: "Ralf-Philipp Weinmann" <ralf at ...>
> To:
> > tor-dev at ...  Sent: Thursday, 31 May, 2012 5:46:49 PM Subject: Re:
> [tor-dev]
> > Help with pf and iOS
> >
> > > Whoohoo!
> > LOL, thanks!
> >
> > > I expect that you really _DO NEED_ that second loopback interface for
> the
> > > above config, otherwise your packets will just end up in one big loop.
> A
> > > workaround might be to tag the packets when they are rdr'ed and make
> sure
> > > that you only rdr packets that are non-tagged. I have to look up the
> exact
> > > syntax on how to do that. I strongly suggest testing your pf rules on
> > > another machine first (OpenBSD or FreeBSD VM) and then deploying in
> iOS.
> > Yeah, I sense the loop there. I thought that
> >
> > pass quick on lo0 keep state pass out quick inet proto tcp user nobody
> flags
> > S/SA modulate state
> >
> > was my "exit strategy", anyway. Looks like they never really work Tagging
> > packets is a good idea! It's something I didn't think to try in first
> place
> > as, usually, it's useless when it comes to iptables but it's pf here, so
> I
> > should definitively try it.
> >
> > > Do you have the kernel crash log handy by any chance? It should be in
> > > /Library/Logs/CrashReporter/Panics
> > Gone, but I will try to replicate it. Looking for some 0days, are you?
> :-P
> > _______________________________________________ tor-dev mailing list
> > tor-dev at ...
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> >
> >
>
> Hi sid77,
>
> I've got tor in transparent proxy mode working on jailbroken iPod 4 with
> iOS 6
> installed.  I've started with iOS 5.1.1 but quickly found out that any
> 'route-to' rule results in kernel panic as soon as there is a match while
> the
> same ruleset worked as expected on Mac OS X machine. My bet is on the fact
> that
> the 'jailbreaking' is the culprit of this behaviour
>
> Everything worked just fine on a jailbroken iOS 6 though, I'm not a pf
> guru, I
> just needed a proof of concept, so my ruleset looked like this(I'm running
> tor
> as root from command line, hence the allow root rule):
>
> table <self> const { self }
>
> rdr on lo0 proto tcp from any to ! <self> -> 127.0.0.1 port 9040
>
> #allow ssh on 22 pass in quick proto tcp from any to any port 22 pass out
> quick
> proto tcp from any to any port 22
>
> #allow root(tor) traffic pass out on ! lo0 proto tcp all user root tag
> "allowed"
> keep state
>
> pass out on ! lo0 route-to lo0 \
> proto tcp all\
> ! tagged "allowed" \
> tag "intercepted" \
> keep state
>
>
> As you can see the udp traffic bit is left out and furthermore, the whole
> ruleset could be optimized but it works.
>
> The second nasty bit was compiling tor for iOS 6. I'm pretty sure you know
> the
> iOS SDK doesn't come with all required by transparent proxy functionality
> include headers, net/pfvar.h in particular. Quick googling gave me
>
> http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/net/pfvar.has well
>
> as the other 2 missing and required by net/pfvar.h
>
> http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/sys/tree.hand
> http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/net/radix.h
>
> after downloading those I quickly figured the -DPRIVATE and
> -DNO_APPLE_EXTENSIONS flags and compiled tor. Well, it didn't work with tor
> giving me an ENODEV error over ioctl() call, so I suspected the headers
> were too
> old. My kernel version was xnu-2107.2.33, but the latest available version
> of
> xnu was 2050.9.2 (http://www.opensource.apple.com/source/xnu/xnu-2050.9.2),
> so I
> crossed my fingers and downloaded the required headers from that tree.
>
> Some locations have changed since v1456.1.26. My curl commands executed
> from
> inside <SDK>/usr/include looked like this:
>
> sudo curl -o libkern/tree.h \
>
> http://opensource.apple.com/source/xnu/xnu-2050.9.2/libkern/libkern/tree.h?txt
>
> sudo curl -o net/radix.h \
> http://www.opensource.apple.com/source/xnu/xnu-2050.9.2/bsd/net/radix.h?txtsudo
>
> curl -o net/pfvar.h \
> http://www.opensource.apple.com/source/xnu/xnu-2050.9.2/bsd/net/pfvar.h?txt
>
> I noticed that NO_APPLE_EXTENSIONS ifdefs were gone from the pfvar.h, so I
> patched tor/src/or/connection_edge.c, replacing all instances of pnl.sport,
> pnl.dport and pnl.rdport with pnl.sxport.port,  pnl.dxport.port and
> pnl.rdxport.port respectively.
>
> After compilation I ran tor from cl like: ./tor --User root
> --DataDirectory .
> --TransPort 9040 --SocksPort 0 --Log debug making sure it works only in
> Transparent Proxy mode with SOCKS disabled
>
> Toggling pf rules in another terminal causes showmyip.com to show
> different IPs
> while observing traffic flowing through tor.
>
> Hope this information helps.
>
> All the best,
> E.F.
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20120928/07a01a96/attachment-0001.html>

More information about the tor-dev mailing list