Ports 443 & 80

[Robert W Capps II]

I've not tried to setup a TOR node with your config, but I'll tell you  
how I got mine to work :

Assumptions for the following configuration:

   1.1.1.1 - Public IP address of Firewall (assumes you are using NAT  
internally)
   2.2.2.2 - Private IP address in use on the TOR server
   :9090 - Private OR Port
   :443   - Public OR Port
   :9091 - Private DIR Port
   :80     - Public DIR Port

First I set my firewall up to accept the following external ports, and  
forward them to the TOR server - basically port forwarding with NAT:

   1.1.1.1:443 -NAT and port forward to-> 2.2.2.2:9090
   1.1.1.1:80   -NAT and port forward to-> 2.2.2.2:9091

The TOR server was then configured to listen locally for TOR traffic  
on 2.2.2.2:9090 and 2.2.2.2:9091, so you'll need to set the following  
items in your torrc file:

   ## The IP or FQDN for your server. Leave commented out and Tor will  
guess.
   Address 1.1.1.1

   ## Required: what port to advertise for Tor connections.
   ORPort 443
   ORListenAddress 2.2.2.2:9090

   ## Optional: what port to advertise for TOR directory  
connections.Uncomment this to mirror the directory for others.
   DirPort 80
   DirListenAddress 192.168.3.20:9091


So, without validating your firewall setup, I would think you need to  
modify your 'ORListenAddress' and 'DIRListenAddress' to reflect the  
ACTUAL IP address (not 0.0.0.0) of your TOR server, and set your  
'Address' value to the actual public IP address of your firewall  
(note, no port required on the 'Address' value).

Hope this helps!

Robert



On May 17, 2008, at 4:53 PM, Nathaniel Dube wrote:

> I read somewhere that you can use ports 443 and 80 to help out  
> people stuck
> behind really restrictive firewalls.  I've been trying to manually  
> configure
> Tor to do just that.  I've configured the router for port  
> forwaring.  I'm
> pretty sure I did the same for my Linux firewall.  I told the  
> firewall to
> listen on ports 443/80 and redirect to 9090/9091.  So the way I  
> understand it
> is, Tor servers/clients should be trying to connect to ports 443/80  
> --> my
> router listens on 443/80 and bounces to my firewall --> my firewall  
> listens
> to 443/80 and bounces to 9090/9091 which the tor server is really  
> listening
> in on.  I'm running openSUSE 10.3.  I used yast to set the  
> firewall.  If I
> understand what I'm doing I use the "Masquerading" section to do  
> firewall
> port forwaring.  Which I'm pretty sure I did correctly but for some  
> reason
> servers/clients are still unable to connect to my tor server.
>
> I could really use some help getting this working.  I can get the  
> normal ports
> working no problem and have my server join the tor network.  It's  
> when I try
> doing the port 443/80 trick that things get harry.
>
> Here are screenshots of my configuration screens I did for the port
> forwarding.
>
> http://img246.imageshack.us/img246/303/443zb6.png
> http://img265.imageshack.us/img265/1403/80xv7.png
> http://img253.imageshack.us/img253/483/yastmasqsm4.png
> http://img253.imageshack.us/img253/2820/yastrulesyl0.png
> http://img338.imageshack.us/img338/5127/routerpn3.png
>
> Here's portions of tor's config file.  I Xed out stuff that might be
> considered a security risk on my part.
>
> SocksPort 9050
> SocksListenAddress 127.0.0.1
> DataDirectory /home/tor/.tor
> ControlPort 9051
>
> ORPort 443
> ORListenAddress 0.0.0.0:9090
> DirPort 80
> DirListenAddress 0.0.0.0:9091
>
> Also, here's the log when I run tor in Konsole as root.  I know,  
> don't run Tor
> as root.  I'm just doing that to test it to make sure it's working  
> before I
> set it to start on boot under the "tor" user.
>
> May 16 23:09:16.449 [notice] Tor v0.1.2.19. This is experimental  
> software. Do
> not rely on it for strong anonymity.
> May 16 23:09:16.450 [notice] Initialized libevent version 1.3b using  
> method
> epoll. Good.
> May 16 23:09:16.450 [notice] Opening OR listener on 0.0.0.0:9090
> May 16 23:09:16.450 [notice] Opening Directory listener on  
> 0.0.0.0:9091
> May 16 23:09:16.450 [notice] Opening Socks listener on 127.0.0.1:9050
> May 16 23:09:16.450 [notice] Opening Control listener on  
> 127.0.0.1:9051
> May 16 23:09:16.451 [warn] You are running Tor as root. You don't  
> need to, and
> you probably shouldn't.
> May 16 23:09:16.642 [notice] Your Tor server's identity key  
> fingerprint
> is 'XXXXXXXXXXXXXXXXXXX'
> May 16 23:09:18.240 [notice] We now have enough directory  
> information to build
> circuits.
> May 16 23:09:18.438 [notice] Guessed our IP address as XXXXXXXXXXXXX.
> May 16 23:09:21.856 [notice] Tor has successfully opened a circuit.  
> Looks like
> client functionality is working.
> May 16 23:09:21.856 [notice] Now checking whether ORPort XXXXXXX:443  
> and
> DirPort XXXXXXXXXXXX:80 are reachable... (this may take up to 20  
> minutes --
> look for log messages indicating success)
> May 16 23:29:18.900 [warn] Your server (XXXXXXXXXXX:443) has not  
> managed to
> confirm that its ORPort is reachable. Please check your firewalls,  
> ports,
> address, /etc/hosts file, etc.
> May 16 23:29:18.900 [warn] Your server (XXXXXXXXXX:80) has not  
> managed to
> confirm that its DirPort is reachable. Please check your firewalls,  
> ports,
> address, /etc/hosts file, etc.