[tor-talk] Ports required for Tor and hidden services
mirimir at riseup.net
Tue Jan 28 01:17:11 UTC 2020
On 01/26/2020 10:53 PM, Jim wrote:
> Forst wrote:
>> In that case, what would be best approach to achieve that all traffic
>> is forced though Tor and direct internet connection blocked,
>> preferably even if/when the system is breached?
> Roger gave a good reply for the case where the system is not breached.
> But if your firewall is on the same system as the hidden service and an
> attacker gets root then nothing can save you since the attacker could
> alter the firewall at will. The only exception I can think of is
> SELinux *might* provide a mechanism to prevent this but I am not
> familiar with it.
If you're that paranoid, you can use the Whonix model. Basically, run
the Tor process and firewall on one machine, with requisite ports
exposed on an isolated LAN. And run the web server on another machine,
connected via that LAN. So nothing on that machine can see the Internet,
except through Tor.
If you control physical access, it's most secure for those to be
separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
VMs on some KVM VPS, although it's a little sluggish.
More information about the tor-talk