On 04/22/2012 01:25 AM, torsi...@tormail.org wrote: > > Hi, > > Is there anything to worry about if using curl with the below configuration? > (I don't want to use a virtual machine) > > Only debian-tor can go online: > iptables -F OUTPUT > iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor > iptables -A OUTPUT -j ACCEPT -o lo > iptables -A OUTPUT -j ACCEPT -p udp --dport 123 > iptables -P OUTPUT DROP
Just to make sure, add explicit blocking of DNS at the beginning (might add -m owner --uid-owner debian-tor if you want): iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECT iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECT REJECT is IMHO better than DROP for outgoing connections, since you won't have to wait for application to detect timeout. > > curl is used like this: > > curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O > http://download.testfile Use --header to add any additional headers until your request has identical headers to TBB (adding headers is easy, removing might be harder). > I guess there is no way that curl can leak the real IP address. Any > objections? I can't say for sure, but it likely won't leak your IP for http/https protocols. Only way to make sure would be thoroughly reading the source. Ondrej > > >> Hm, you're right, wget 1.12 does not leak DNS if you use http protocol. I >> just >> realized I tested it also with https when the leak happened (wget requires >> explicit 'https_proxy' to use CONNECT for https even if you use the same >> http >> proxy). >> >> Ondrej >> >> On 04/19/2012 10:54 PM, torsi...@tormail.net wrote: >>> Hi, >>> >>> I cannot confirm that wget (v1.12) is sending any DNS resolve when using >>> it this way: >>> >>> wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c >>> http://download.test >>> >>> Wireshark does not show any UDP traffic. >>> >>> I will check out curl. I like the idea of not using a http proxy in >>> between. >>> >>> Thanks for the post. :-) >>> >>>> On 04/18/2012 11:40 PM, torsi...@tormail.net wrote: >>>>>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <m...@dee.su> wrote: >>>>>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom >>>>>>> <rransom.8...@gmail.com> >>>>>>> wrote: >>>>>>>> Which version of wget did you audit? What information leaks did >>>>>>>> you >>>>>>>> check for during your audit? >>>>> Hi, >>>>> >>>>> How can I check what information wget is transmitting? I used >>>>> wireshark >>>>> and filtered to see only the traffic sent from wget to localhost:8118 >>>>> but >>>>> I'm not a network expert and I don't know how to interpret the data. >>>>> >>>>> Anybody has deeper network knowledge? >>>> >>>> I've just checked wget, it does leak DNS even with http_proxy >>>> environment >>>> variable set. >>>> >>>> How to check: >>>> >>>> 1. Run wireshark >>>> 2. Select "Pseudointerface (any)" unless you know which interface to >>>> look >>>> at >>>> 3. Put "dns" into the Filter field and click "Apply" button >>>> >>>> DNS is easy to spot since it's almost always going to UDP port 53 >>>> (exceptions >>>> are really rare). >>>> >>>> Then you'll see what DNS queries your host did at the time (obviously >>>> it's >>>> best >>>> to turn off any other program that could interfere in the measurement). >>>> >>>> These things can change on version-to-version basis of the same >>>> software, >>>> so >>>> it's always best to check your actual version with wireshark. >>>> >>>> Though curl is much better than wget in all recent versions at least, >>>> this >>>> does >>>> not leak DNS (--socks5-hostname is the important part; Tor SOCKS5 proxy >>>> is >>>> expected to run at port 9050): >>>> >>>> curl --socks5-hostname localhost:9050 >>>> "http(s)://somesite.wherever/rest_of_url" >>>> >>>> Ondrej >>>> _______________________________________________ >>>> tor-talk mailing list >>>> tor-talk@lists.torproject.org >>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>>> >>> >>> >>> _______________________________________________ >>> tor-talk mailing list >>> tor-talk@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>> >> >> _______________________________________________ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> > > > _______________________________________________ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
