[tor-talk] Tor as a network filter

spencerone at openmailbox.org spencerone at openmailbox.org
Wed Mar 11 06:11:47 UTC 2015 

> ben[at]bentasker.co.uk:
> Depending on how you're getting traffic onto Tor (i.e. are you using 
> the
> SOCKS proxy or silently redirecting traffic to the relevant port) you 
> may
> be able to achieve something similar to what you're attempting using 
> other
> tools first.
> 

I am just running Tor Browser, so the default SOCKS.

> 
> For example, I have a VM running an MUA, it should only ever connect to
> it's mailserver's over Tor. To enforce that, my router runs Tor and an
> iptables rule ensures that all traffic from that VM leaves my network 
> over
> Tor (there are some other concerns with doing it this way, but they 
> aren't
> relevant for what I'm trying to say).
> 

Can you expand on this, the Tor on a router part?  Others have said[0], 
in response to an out of the box product you can by[1], that running Tor 
on a physical router is not so safe, though this is maybe where your 
iptables rule comes in.

> 
> There's no technical reason I (or, you) couldn't add a rule to first 
> push
> that traffic through some sort of (semi)transparent proxy so that 
> filtering
> can be performed at application level.
> 

How much control do you then have over the traffic?  Can you shape how 
you appear, ignoring the risk of standing out?  How would you interface 
with the traffic?

> 
> There are a number of reason's you might not want to do it though:
> 
> - It complicates troubleshooting connection issues
> - You've just inserted an extra listening point for an adversary to use
> - If you're using a transparent solution and it breaks, you may find
> yourself working without your extra level of 'protection'
> - Depending on your solution, it may change your request signature (a 
> lot
> of work has gone into TBB to make all look the same, you don't want 
> your
> user-agent to suddenly becomes 'squid' for example)
> 
> In my setup, traffic transits my network in the clear (at least in a
> metadata sense) before reaching Tor, there's no reason you necessarily 
> need
> to do that as you could set something similar up on a single box.
> 
> So whilst tor won't do application level filtering for you, you can 
> insert
> some filtering into the chain, as long as you weigh the risks (and I've
> likely omitted some)
> 
>> spencerone[at]opmbx.org:
>> But I am more asking if Tor can be used as part of a filter, with some
>> sort of application allowing for more control, maybe even of what is 
>> sent
>> to the entry.  It seems there has been some discussion regarding 'Tor
>> Router/Firewall', though it's only cited as a bullet in a list. I 
>> might be
>> misreading, but a Tails document refers to a 'Network Filter'.  I 
>> don't
>> only want to allow or deny network connections, like with Tails, but 
>> filter
>> out certain things as well, maybe with something smaller like a 
>> browser or
>> application firewall.
>> 
>>> WhonixQubes:
>>> Sounds like you are looking for what is known as an "Application
>>> Firewall".
>>> 
>>> 
>> I am, is there any value to combining incoming access
>> to the Tor network and outgoing connections from applications as a
>> standalone tool?  Vs using Little Snitch or built-in firewalls 
>> separately
>> from a Tor application like Tor Browser.
>> 

Thanks for this!

Wordlife,
Spencer

[0] 
https://lists.torproject.org/pipermail/tor-talk/2015-February/036719.html
[1] http://cryptographi.com/products/snoopsafe

More information about the tor-talk mailing list