[tor-qa] Experimental 3.5.2 bundles with tor-fw-helper (automatic port forwarding)

David Fifield david at bamsoftware.com
Sat Feb 15 02:13:45 UTC 2014

On Fri, Feb 14, 2014 at 09:37:51AM +0100, Lunar wrote:
> We solved it with David. The problem was that the IPv6 address was
> given to registrators. Adding `-4` to the flashproxy-client flags in
> torrc made it work.
> In the process, we discovered that NAT-PMP is having really weird
> behaviour and should probably be discarded.

I'm getting ready another set of bundles, without libnatpmp and with -4
by default.

>  * tor-fw-helper currently registers the port redirection under the
>    label “Tor relay”. That's OK if used by a relay operator on their own
>    network, but not in the use case where Tor is banned and you want to
>    conceal its usage.

Good point. It's not configurable at runtime as tor-fw-helper is now.

>  * There's no unregistration process when the browser is shut down, so
>    the ports will stay open as until the router is rebooted (or at least
>    that was my impression). Probably we would like to fix that as
>    browsers can be restarted several times in course of a single day.

Thank you for noticing this problem. I overlooked it because I assumed
all the port forwardings were temporary; tor has code to call
tor-fw-helper periodically. But you are right; in fact in libminiupnpc
1.5, the UPNP_AddPortMapping function doesn't even provide a way to set
the time limit (NewLeaseDuration), and with libminiupnpc 1.6,
tor-fw-helper always passes a value of 0 ("forever").

I configured flashproxy-client to listen on an emphemeral port in these
bundles (in normal bundles it listens on the static port 9000). It means
that a new permanent hole will be opened in the user's firewall every
time they restart their browser. (Permanent until they reboot their
router, I guess.)

If you tested these bundles and now have unexpected port forwardings,
you can (reboot your router or) run these commands from the miniupnpc
	upnpc -l	# lists port forwardings
	upnpc -d X tcp	# deletes forwarding for port X

Alternatively, we could specify a static port (:9000 instead of :0 in
the ClientTransportPlugin line). Then at least it would be just *one*
port open permanently. But one of the nice things about automatic port
forwarding was that it would be possible not to use a fixed (more easily
blockable) port number.

David Fifield

More information about the tor-qa mailing list