[tor-talk] Ports required for Tor and hidden services

[Forst]

On 2020-01-28 01:17, Mirimir wrote:
> On 01/26/2020 10:53 PM, Jim wrote:
>> Forst wrote:
>>> In that case, what would be best approach to achieve that all traffic
>>> is forced though Tor and direct internet connection blocked,
>>> preferably even if/when the system is breached?
>> 
>> Roger gave a good reply for the case where the system is not breached.
>> But if your firewall is on the same system as the hidden service and 
>> an
>> attacker gets root then nothing can save you since the attacker could
>> alter the firewall at will.  The only exception I can think of is
>> SELinux *might* provide a mechanism to prevent this but I am not
>> familiar with it.
>> 
>> Jim
> 
> If you're that paranoid, you can use the Whonix model. Basically, run
> the Tor process and firewall on one machine, with requisite ports
> exposed on an isolated LAN. And run the web server on another machine,
> connected via that LAN. So nothing on that machine can see the 
> Internet,
> except through Tor.
> 
> If you control physical access, it's most secure for those to be
> separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
> VMs on some KVM VPS, although it's a little sluggish.

I don't have the hardware for physical isolation (kind of), but I can 
use a router which is basically a Linux box that could do the actual 
firewalling and re-directing traffic on a LAN to a Tor client running on 
the router rather than in the actual server machine.

Altough I would prefer an approach where the actual Tor client is on the 
server machine.