[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Tor as a network filter

Depending on how you're getting traffic onto Tor (i.e. are you using the SOCKS proxy or silently redirecting traffic to the relevant port) you may be able to achieve something similar to what you're attempting using other tools first.

For example, I have a VM running an MUA, it should only ever connect to it's mailserver's over Tor. To enforce that, my router runs Tor and an iptables rule ensures that all traffic from that VM leaves my network over Tor (there are some other concerns with doing it this way, but they aren't relevant for what I'm trying to say).

There's no technical reason I (or, you) couldn't add a rule to first push that traffic through some sort of (semi)transparent proxy so that filtering can be performed at application level.

There are a number of reason's you might not want to do it though:

- It complicates troubleshooting connection issues
- You've just inserted an extra listening point for an adversary to use
- If you're using a transparent solution and it breaks, you may find yourself working without your extra level of 'protection'
- Depending on your solution, it may change your request signature (a lot of work has gone into TBB to make all look the same, you don't want your user-agent to suddenly becomes 'squid' for example)

In my setup, traffic transits my network in the clear (at least in a metadata sense) before reaching Tor, there's no reason you necessarily need to do that as you could set something similar up on a single box.

So whilst tor won't do application level filtering for you, you can insert some filtering into the chain, as long as you weigh the risks (and I've likely omitted some)

On Mon, Mar 9, 2015 at 12:09 PM, <spencerone@openmailbox.org> wrote:

Yes, "..separate identification from routing.”, but isn't Tor
filtering my connection to the internet by routing my connection
through its network?  Because, if so, I am wondering if it is possible
to have that onion routing process do more than just automatically
proxy my connection.  I am thinking it could allow me to deny certain
connection attempts completely while allowing others.  If applications
can make connections to the internet through the Tor network, via
Orbot or TorBirdy, for example, how much control can I have over this
on a desk/laptop environment?

Where would I look to find information on this?  Is Vidalia or "system
Tor" relevant to this?

No, tor doesn't filter anything. The closest definition of what tor is
would be "routing software". It routes user traffic through the
anonymization network. There is no degree of control in terms of what is
and isn't sent beyond the fact of connection.

But what about the before the connection, even preventing the connection?  Doesn't Orbot or Tor Browser provide an opportunity to manage what is sent?  Can firewall-like control be implemented into somethinglike this?

You need to really read about tor in order to understand it.

I have been, thanks to many kind people on this list taking their time to help :)  This is why I am asking questions, to better understand the limitations.

But "filter" concept doesn't describe tor in any way. This is the misunderstanding.

I understand the network as you are describing it.  Regarding "filter" I am seeing it from a non-technical user point of view, where it appears as if the user's address has been removed and a new one has been provided, as they might often receive the message "Your IP address appears to be:...".  Given that a filter can be seen as software that reformats some stuff, experientially, in this case, the user's identity has been reformatted, even if technically it's just being swapped for that of the exit's.

But I am more asking if Tor can be used as part of a filter, with some sort of application allowing for more control, maybe even of what is sent to the entry.  It seems there has been some discussion regarding 'Tor Router/Firewall', though it's only cited as a bullet in a list. I might be misreading, but a Tails document refers to a 'Network Filter'.  I don't only want to allow or deny network connections, like with Tails, but filter out certain things as well, maybe with something smaller like a browser or application firewall.

Yuri is correct. Tor does not provide an internet filter for applications.

Awesome, but isn't Orbot something like this?  And didn't Vidalia provide similar functionality?

Sounds like you are looking for what is known as an "Application Firewall".

I am, as touched on above, is there any value to combining incoming access to the Tor network and outgoing connections from applications as a standalone tool?  Vs using Little Snitch or built-in firewalls separately from a Tor application like Tor Browser.


tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to