[tor-talk] restricting output to the tor process, when using Tor browser
mirimir at riseup.net
Tue Jan 28 05:27:07 UTC 2020
OK, so I don't use standalone Tor browser, just in Whonix.
And when I use Tor in Debian, I use iptables rules like:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
-A OUTPUT -j DROP
But, in a Debian VM running Tor browser, I found that the tor process is
running as the login user. And so iptables is totally useless.
However, it's apparently easy to start Tor browser as its own user,
using Micah Lee's torbrowser-launcher. Is that a prudent solution?
More information about the tor-talk