TransPort, DNSPort, and pf

Scott Bennett bennett at
Fri Dec 31 06:53:10 UTC 2010

     I am attempting to set up a LAN with Internet access via tor for machines
that do not have tor installed by using TransPort, DNSPort, and a couple of
rdr rules in pf.  In torrc, I have

TransPort 9040
DNSPort 1053

In an anchor defined in /etc/pf.conf as

rdr-anchor intrdrs
load anchor intrdrs from "/etc/"

the file /etc/ contains

rdr on $int_ifa proto tcp from $internal_net_a to ! ($int_ifa) -> $localhost_addr port 9040
rdr on $int_ifa proto udp from $internal_net_a to ! ($int_ifa) port domain -> $localhost_addr port 1053

Testing the torrc goes like this:

hellas# su _tor
$ tor --verify-config
Dec 30 23:33:41.799 [notice] Tor v0.2.2.17-alpha (git-dadd9608d2720368). This is experimental software. Do not rely on it for strong anonymity. (Running on FreeBSD i386)
Dec 30 23:33:41.817 [warn] open("/dev/pf") failed: Permission denied
Dec 30 23:33:41.818 [warn] Failed to parse/validate config: Unable to open /dev/pf for transparent proxy.
Dec 30 23:33:41.818 [err] Reading config failed--see warnings above.

     My first question is, why does tor want to open /dev/pf when all packets
from the internal network are redirected to tor on the loopback interface
anyway?  To get tor to stop complaining, I had to change the group of /dev/pf
from wheel to _tor and change the device's permissions from 600 to 660.  It
seems to me that neither should be necessary and that tor should not access

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *

More information about the tor-relays mailing list