[tor-talk] ORBot-like app for Mac/Windows
Manuel
tor-talk at acanthephyra.net
Tue May 3 21:37:02 UTC 2011
On 05/03/11 22:35, tor at lists.grepular.com wrote:
> On 03/05/2011 20:02, Jerzy Łogiewa wrote:
>
>> http://www.androidzoom.com/android_applications/communication/orbot-tor-on-android_jqte.html
>>
>> interface is great -- why not something like this for mac (and even windows too) ? it would be handy on a mac to selectively torify apps!
> The reason it is possible on Android is because each app runs under it's
> own user id.
>
> netfilter/iptables has an "owner" module. Assuming you're using the Tor
> TransPort directive on port 9040, you could torify uid 1234 under Linux
> with this command (untested):
>
> iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT
> --to-ports 9040
>
> Then the outgoing connections of any app running under uid 1234 are
> forwarded to local port 9040 and "torrified."
>
> This doesn't really translate to OSX or Windows or even normal Linux
> desktop usage.
>
> At least, this is how I'm assuming Orbot does it. I know this is how
> DroidWall handles applying firewall rules for different apps...
>
>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Yep, this is exactly how Orbot does things (apart from the fallback
"proxy by port" option, which is sub-optimal).
Jerzy: If you would like to learn more about that principle (and also
how it can - theoretically - be used on desktops), see
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy
.
Unfortunately, in desktop systems, (nearly) all processes are created by
a small number of users, and while it's (at least for GNU/Linux)
possible to force every process - or at least all the programs you call
from your graphical menu - into its own UID, it'd require a vast amount
of modifications to things that shouldn't concern Tor. The approaches
I'm coming up with ad hoc are all so horribly wrong, insecure and
unportable that just thinking of some fool implementing anything of that
caliber makes me reach for the clue-by-four.
It might be possible - since there are firewalls for both Mac and
Windows that can filter by application (Apple calls it "Application
Firewall" and I remember various Windows FWs having such functionality),
they should also be able to redirect them. It might be possible to
implement an application based redirection on Linux, but probably only
in a very crude manner (there's a project called TuxGuardian which
apparently uses application based filtering, but it looks unmaintained,
last update was 5 years ago).
To sum it up (from my half-informed point of view): It's theoretically
possible, but the effort required for this usability enhancement would
simply be too much. As all multi-platform tools, Tor tries to use common
designs and functions across all systems and only employ
platform-specific glue when necessary, and there is no common framework
for application-based filtering/redirection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110503/ba94d7a2/attachment-0001.htm>
More information about the tor-talk
mailing list