[tor-qa] Experimental 3.5.2 bundles with tor-fw-helper (automatic port forwarding)
david at bamsoftware.com
Sat Feb 15 02:13:45 UTC 2014
On Fri, Feb 14, 2014 at 09:37:51AM +0100, Lunar wrote:
> We solved it with David. The problem was that the IPv6 address was
> given to registrators. Adding `-4` to the flashproxy-client flags in
> torrc made it work.
> In the process, we discovered that NAT-PMP is having really weird
> behaviour and should probably be discarded.
I'm getting ready another set of bundles, without libnatpmp and with -4
> * tor-fw-helper currently registers the port redirection under the
> label “Tor relay”. That's OK if used by a relay operator on their own
> network, but not in the use case where Tor is banned and you want to
> conceal its usage.
Good point. It's not configurable at runtime as tor-fw-helper is now.
> * There's no unregistration process when the browser is shut down, so
> the ports will stay open as until the router is rebooted (or at least
> that was my impression). Probably we would like to fix that as
> browsers can be restarted several times in course of a single day.
Thank you for noticing this problem. I overlooked it because I assumed
all the port forwardings were temporary; tor has code to call
tor-fw-helper periodically. But you are right; in fact in libminiupnpc
1.5, the UPNP_AddPortMapping function doesn't even provide a way to set
the time limit (NewLeaseDuration), and with libminiupnpc 1.6,
tor-fw-helper always passes a value of 0 ("forever").
I configured flashproxy-client to listen on an emphemeral port in these
bundles (in normal bundles it listens on the static port 9000). It means
that a new permanent hole will be opened in the user's firewall every
time they restart their browser. (Permanent until they reboot their
router, I guess.)
If you tested these bundles and now have unexpected port forwardings,
you can (reboot your router or) run these commands from the miniupnpc
upnpc -l # lists port forwardings
upnpc -d X tcp # deletes forwarding for port X
Alternatively, we could specify a static port (:9000 instead of :0 in
the ClientTransportPlugin line). Then at least it would be just *one*
port open permanently. But one of the nice things about automatic port
forwarding was that it would be possible not to use a fixed (more easily
blockable) port number.
More information about the tor-qa