ben[at]bentasker.co.uk:
Depending on how you're getting traffic onto Tor (i.e. are you using
the
SOCKS proxy or silently redirecting traffic to the relevant port) you
may
be able to achieve something similar to what you're attempting using
other
tools first.
I am just running Tor Browser, so the default SOCKS.
For example, I have a VM running an MUA, it should only ever connect to
it's mailserver's over Tor. To enforce that, my router runs Tor and an
iptables rule ensures that all traffic from that VM leaves my network
over
Tor (there are some other concerns with doing it this way, but they
aren't
relevant for what I'm trying to say).
Can you expand on this, the Tor on a router part? Others have said[0],
in response to an out of the box product you can by[1], that running Tor
on a physical router is not so safe, though this is maybe where your
iptables rule comes in.
There's no technical reason I (or, you) couldn't add a rule to first
push
that traffic through some sort of (semi)transparent proxy so that
filtering
can be performed at application level.
How much control do you then have over the traffic? Can you shape how
you appear, ignoring the risk of standing out? How would you interface
with the traffic?
There are a number of reason's you might not want to do it though:
- It complicates troubleshooting connection issues
- You've just inserted an extra listening point for an adversary to use
- If you're using a transparent solution and it breaks, you may find
yourself working without your extra level of 'protection'
- Depending on your solution, it may change your request signature (a
lot
of work has gone into TBB to make all look the same, you don't want
your
user-agent to suddenly becomes 'squid' for example)
In my setup, traffic transits my network in the clear (at least in a
metadata sense) before reaching Tor, there's no reason you necessarily
need
to do that as you could set something similar up on a single box.
So whilst tor won't do application level filtering for you, you can
insert
some filtering into the chain, as long as you weigh the risks (and I've
likely omitted some)
spencerone[at]opmbx.org:
But I am more asking if Tor can be used as part of a filter, with some
sort of application allowing for more control, maybe even of what is
sent
to the entry. It seems there has been some discussion regarding 'Tor
Router/Firewall', though it's only cited as a bullet in a list. I
might be
misreading, but a Tails document refers to a 'Network Filter'. I
don't
only want to allow or deny network connections, like with Tails, but
filter
out certain things as well, maybe with something smaller like a
browser or
application firewall.
WhonixQubes:
Sounds like you are looking for what is known as an "Application
Firewall".
I am, is there any value to combining incoming access
to the Tor network and outgoing connections from applications as a
standalone tool? Vs using Little Snitch or built-in firewalls
separately
from a Tor application like Tor Browser.
Thanks for this!
Wordlife,
Spencer
[0]
https://lists.torproject.org/pipermail/tor-talk/2015-February/036719.html
[1] http://cryptographi.com/products/snoopsafe
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
