[tor-relays] ORPort NoListen

Matt Joyce toradmin at mttjocy.co.uk
Mon Mar 11 22:38:43 UTC 2013 

Sorry I didn't get back to you sooner not been at the computer, but yes
you have it right there just use your 192.168.1.12 internal address for
tor to listen on, the other advantage of this way over just giving the
port number is that you will only be accepting traffic arriving at your
router using the published address and port, I generally figure if
neither me nor any software I gave permission to have published an
address/port to legitimate clients then it seems safe enough to me to
presume it suspicious and not be passing it to a running daemon process.

On the other thing you mentioned you have a solution now so it may well
be that there isn't any use me trying to say anything helpful about that
but if it helps any I can tell you this much without knowing more about
your situation.  With a port bellow port 1024 like this there are
generally two different failures that account for the majority of the
traffic most likely.

  * Firstly there is the usual one that can apply with any port, port in
    use the error message will usually say something along the lines of
    cannot bind to IP:Addr and something along the lines of
    "Address/Port in use", "Device/Resource is busy" etc.  Only one
    process can be associated with a unique scrip:port->dstip:port
    combination so you will often get this error if you accidentally
    launch a second copy of a process such as a network server when the
    existing processes are still alive and havn't closed the port yet. 
    If you are at a loss what is using the port, netstat is your friend,
    you can use it to find out exactly what sockets are in use and which
    process currently owns each listening socket/TCP stream.
  * The second one is specific to ports bellow 1024, these low number
    ports were always traditionally and in many cases still are the main
    default port.  As a result many operating systems reserve these
    ports for the root/administrator, or at least being in position of
    the relevant capabilities on newer versions of linux, if this is the
    case usually the error will say something along the lines of "Cannot
    bind to IP:Port" and "Permission Denied", "Insufficient Privileges"
    etc or words to that effect.  If you have this issue then you will
    need to initially start tor as root but if you do this then you
    would also be really strongly recommended to also make sure to use
    the User directive in your config file to let tor know the use
    account to drop privileges to after it has finished initially
    binding to the proper port.  Alternative options however are to go
    ahead and use a NAT router to slip around the issue only an options
    until tor steps out of the 20th century and enables IPv6 support
    however, the other option is to set up a redirection using IP tables
    on the same machine as the tor relay itself, this has the additional
    advantage that with a reasonably recent kernel you could look into
    using TPROXY which does support IPv6 also.


On 10/03/13 18:24, Sina Eetezadi wrote:
> The thing is, with this setup arm and also vidalia reported "can not
> bind 0.0.0.0:443. Thats why I went back to the old setting.
> For the moment I do not really care, because it works, I was just wondering.
>
> My router forwards 443 to 192.168.1.12:9001. So you suggest I put
> "192.168.1.12" instead of "0.0.0.0.", right?
>
>
>> Sorry there is an error in my example, forgot the NoAdvertise attribute
>> didn't notice till the mail came back through the list, should have been
>>
>> DirPort 80 NoListen
>> DirPort 127.0.0.1:9030 NoAdvertise
>>
>> Other than that the rest all should work as I suggested either specify the actual address your router is set to forward to or specify only the port.
>>
>> On 10/03/13 17:20, Matt Joyce wrote:
>>> There is no need to actually write out the IPv4 unspecified address in
>>> the config file (0.0.0.0), all you need to do is just put:
>>>
>>> ORPort 9001 NoAdvertise
>>>
>>> Admittedly I have not actually tried it with ORPort personally but I
>>> have had that configuration on one of my relays in the past for DirPort
>>> to enable tor to advertise directory on 80 which was already assigned to
>>> apache2, then apache simply reverse proxied requests for /tor/* to tor
>>> on localhost 9030.  However, while you can do the above to listen on any
>>> address there is no need to do so, I would instead specify the address
>>> and port you have set in the DNAT rule on your router.  Same when I had
>>> the reverse proxy setup I simply had it set like:
>>>
>>> DirPort 80 NoListen
>>> DirPort 127.0.0.1:9030
>>>
>>> Course in your case it wont be 127.0.0.1 because it is coming in from
>>> your external router not another server on the local machine.
>>>
>>> On 10/03/13 16:18, Sina Eetezadi wrote:
>>>> Hi!
>>>>
>>>> I want to have port 443 advertised but listen on port 9001. My router
>>>> then forwards 443->9001 to the machine tor is running on.
>>>>
>>>> It works with this:
>>>> ORport 433
>>>> ORListenAddress 0.0.0.0:9001
>>>>
>>>> However I thought this is deprecated and I rather use:
>>>>
>>>> ORport 443 NoListen
>>>> ORPort 0.0.0.0:9001 NoAdvertise
>>>>
>>>> The latter however does not seem to work. Arm for example still errors
>>>> "binding failed" and I see no incoming connections.
>>>>
>>>> Is this a bug?
>>>>
>>>> Thanks.
>>>>
>>>> SE
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 295 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130311/d1f36136/attachment.pgp>

More information about the tor-relays mailing list