[tor-dev] Blacklist all domains, whitelist .onion,.exit

nyxnor nyxnor at protonmail.com
Wed Sep 21 14:39:06 UTC 2022 

Hello.

I am trying to make a tor only allow traffic through onion services and exit nodes.

I would like to blacklist all domains first, as that is simple and does not need to be updated,
then whitelist all onions and exits.

Reason: I am hosting an onion service, but I don't want any client traffic comming from that
machine.

I've played with MapAddress, VirtualAddrNetworkIPV4, AutomapHostsOnResolve,
AutomaptHostsSuffixes, but nothing seems to work as intended above.

MapAddress *=127.0.0.1 does not report invalid conf, but the controller reports it is using
invalid sytax because "*" be source or target.
I tricked the controller with MapAddress *.*=127.0.0.1, as every domain has a dot, the controller
didn't report syntax error and this option is actually ignored.

If the above worked, then the next option would be the whitelisting:
MapAddress *.onion VIRTUAL_IP
Or possibly the AutomapHostsOnResolve 1 and AutomapHostsSuffixes .exit,.onion would
handle that part hopefully.

I did the lazy way, the antivirus way, I downloaded the IANA TLD domain list and used basic
string manipulation to make: MapAddress *.${domain} 127.0.0.1
And yes, as you may think, the list is huge that has to be on its own included conf file, and also
prone to be outdated every time a new TLD is created. But it works, in a dumb and prone to
mistakes, it works. Can this be done better? Not antivirus way of all is permitted, some known
items are blocked. I would prefer all is blocked and some items are permitted.

The real objective was to block all non .onion and .exit targets coming from a client, that the
controller reports with SOURCE_ADDR, but I didn't find an option to MapAddress per client
or anything similar to that do manipulate addresses per client source, so that is why I started doing this for all tor traffic, which is not what I really want, but controlling targets per client.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20220921/1041eebd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - nyxnor at protonmail.com - 0xA972D64E.asc
Type: application/pgp-keys
Size: 1763 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20220921/1041eebd/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 509 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20220921/1041eebd/attachment.sig>

More information about the tor-dev mailing list