[tor-talk] Tor as a network filter

Ben Tasker ben at bentasker.co.uk
Mon Mar 9 12:27:26 UTC 2015 

Depending on how you're getting traffic onto Tor (i.e. are you using the
SOCKS proxy or silently redirecting traffic to the relevant port) you may
be able to achieve something similar to what you're attempting using other
tools first.

For example, I have a VM running an MUA, it should only ever connect to
it's mailserver's over Tor. To enforce that, my router runs Tor and an
iptables rule ensures that all traffic from that VM leaves my network over
Tor (there are some other concerns with doing it this way, but they aren't
relevant for what I'm trying to say).

There's no technical reason I (or, you) couldn't add a rule to first push
that traffic through some sort of (semi)transparent proxy so that filtering
can be performed at application level.

There are a number of reason's you might not want to do it though:

- It complicates troubleshooting connection issues
- You've just inserted an extra listening point for an adversary to use
- If you're using a transparent solution and it breaks, you may find
yourself working without your extra level of 'protection'
- Depending on your solution, it may change your request signature (a lot
of work has gone into TBB to make all look the same, you don't want your
user-agent to suddenly becomes 'squid' for example)

In my setup, traffic transits my network in the clear (at least in a
metadata sense) before reaching Tor, there's no reason you necessarily need
to do that as you could set something similar up on a single box.

So whilst tor won't do application level filtering for you, you can insert
some filtering into the chain, as long as you weigh the risks (and I've
likely omitted some)

On Mon, Mar 9, 2015 at 12:09 PM, <spencerone at openmailbox.org> wrote:

> Hi,
>
>  SpencerOne:
>>> Yes, "..separate identification from routing.”, but isn't Tor
>>> filtering my connection to the internet by routing my connection
>>> through its network?  Because, if so, I am wondering if it is possible
>>> to have that onion routing process do more than just automatically
>>> proxy my connection.  I am thinking it could allow me to deny certain
>>> connection attempts completely while allowing others.  If applications
>>> can make connections to the internet through the Tor network, via
>>> Orbot or TorBirdy, for example, how much control can I have over this
>>> on a desk/laptop environment?
>>>
>>> Where would I look to find information on this?  Is Vidalia or "system
>>> Tor" relevant to this?
>>>
>>>
>> Yuri:
>> No, tor doesn't filter anything. The closest definition of what tor is
>> would be "routing software". It routes user traffic through the
>> anonymization network. There is no degree of control in terms of what is
>> and isn't sent beyond the fact of connection.
>>
>>
> But what about the before the connection, even preventing the connection?
> Doesn't Orbot or Tor Browser provide an opportunity to manage what is
> sent?  Can firewall-like control be implemented into somethinglike this?
>
>
>> You need to really read about tor in order to understand it.
>>
>>
> I have been, thanks to many kind people on this list taking their time to
> help :)  This is why I am asking questions, to better understand the
> limitations.
>
>
>> But "filter" concept doesn't describe tor in any way. This is the
>> misunderstanding.
>>
>>
> I understand the network as you are describing it.  Regarding "filter" I
> am seeing it from a non-technical user point of view, where it appears as
> if the user's address has been removed and a new one has been provided, as
> they might often receive the message "Your IP address appears to be:...".
> Given that a filter can be seen as software that reformats some stuff,
> experientially, in this case, the user's identity has been reformatted,
> even if technically it's just being swapped for that of the exit's.
>
> But I am more asking if Tor can be used as part of a filter, with some
> sort of application allowing for more control, maybe even of what is sent
> to the entry.  It seems there has been some discussion regarding 'Tor
> Router/Firewall', though it's only cited as a bullet in a list. I might be
> misreading, but a Tails document refers to a 'Network Filter'.  I don't
> only want to allow or deny network connections, like with Tails, but filter
> out certain things as well, maybe with something smaller like a browser or
> application firewall.
>
>  WhonixQubes:
>> Yuri is correct. Tor does not provide an internet filter for applications.
>>
>>
> Awesome, but isn't Orbot something like this?  And didn't Vidalia provide
> similar functionality?
>
>
>> Sounds like you are looking for what is known as an "Application
>> Firewall".
>>
>>
> I am, as touched on above, is there any value to combining incoming access
> to the Tor network and outgoing connections from applications as a
> standalone tool?  Vs using Little Snitch or built-in firewalls separately
> from a Tor application like Tor Browser.
>
> Wordlife,
> Spencer
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk

More information about the tor-talk mailing list