Delivery-Date: Wed, 11 Mar 2015 02:12:04 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,URIBL_BLOCKED
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id A08701E1010
	for <archiver@seul.org>; Wed, 11 Mar 2015 02:12:01 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id A3F4E3462C;
	Wed, 11 Mar 2015 06:11:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 2CCE234501
 for <tor-talk@lists.torproject.org>; Wed, 11 Mar 2015 06:11:54 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id aMqPaJcRVWbx for <tor-talk@lists.torproject.org>;
 Wed, 11 Mar 2015 06:11:54 +0000 (UTC)
Received: from mail2.openmailbox.org (mail2.openmailbox.org [62.4.1.33])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id D53723462C
 for <tor-talk@lists.torproject.org>; Wed, 11 Mar 2015 06:11:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail2.openmailbox.org (Postfix) with ESMTP id EB78D202E3C
 for <tor-talk@lists.torproject.org>; Wed, 11 Mar 2015 07:11:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org;
 h=user-agent:message-id:references:in-reply-to:subject:subject
 :from:from:date:date:content-transfer-encoding:content-type
 :content-type:mime-version:received:received; s=openmailbox; t=
 1426054307; bh=sLU+cpI1FoZiVxI+2dMz5OX3xFoMqpUQOt3QqehrWJ4=; b=e
 S5LQ1n530ANj0X2oxRlPBAo8pW7BghCzY1hwwCRZ6IvRwO0/kyUfgbJM+pruNFOM
 L4WwGUXiL4rN/xszBsFJmHf/kGgLR6g8thbFv8vwb3X/MlEp0YSIbQGwqXi6zoCr
 dPs5wrCaiDeA368KzaEi8HkoQgqe8ZYCg8EgAnQ0OU=
X-Virus-Scanned: amavisd-new at openmailbox.org
Received: from mail2.openmailbox.org ([62.4.1.33])
 by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mRQZ1vjVfXmy for <tor-talk@lists.torproject.org>;
 Wed, 11 Mar 2015 07:11:47 +0100 (CET)
Received: from www.openmailbox.org (localhost [127.0.0.1])
 by mail2.openmailbox.org (Postfix) with ESMTP id 5D9C0202CDB
 for <tor-talk@lists.torproject.org>; Wed, 11 Mar 2015 07:11:47 +0100 (CET)
MIME-Version: 1.0
Date: Tue, 10 Mar 2015 23:11:47 -0700
From: spencerone@openmailbox.org
To: tor-talk@lists.torproject.org
In-Reply-To: <mailman.1520.1425907214.2717.tor-talk@lists.torproject.org>
References: <mailman.1520.1425907214.2717.tor-talk@lists.torproject.org>
Message-ID: <952e82283bfa61ce99b45650383db188@openmailbox.org>
X-Sender: spencerone@openmailbox.org
User-Agent: Roundcube Webmail/1.0.5
Subject: [tor-talk] Tor as a network filter
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

> ben[at]bentasker.co.uk:
> Depending on how you're getting traffic onto Tor (i.e. are you using 
> the
> SOCKS proxy or silently redirecting traffic to the relevant port) you 
> may
> be able to achieve something similar to what you're attempting using 
> other
> tools first.
> 

I am just running Tor Browser, so the default SOCKS.

> 
> For example, I have a VM running an MUA, it should only ever connect to
> it's mailserver's over Tor. To enforce that, my router runs Tor and an
> iptables rule ensures that all traffic from that VM leaves my network 
> over
> Tor (there are some other concerns with doing it this way, but they 
> aren't
> relevant for what I'm trying to say).
> 

Can you expand on this, the Tor on a router part?  Others have said[0], 
in response to an out of the box product you can by[1], that running Tor 
on a physical router is not so safe, though this is maybe where your 
iptables rule comes in.

> 
> There's no technical reason I (or, you) couldn't add a rule to first 
> push
> that traffic through some sort of (semi)transparent proxy so that 
> filtering
> can be performed at application level.
> 

How much control do you then have over the traffic?  Can you shape how 
you appear, ignoring the risk of standing out?  How would you interface 
with the traffic?

> 
> There are a number of reason's you might not want to do it though:
> 
> - It complicates troubleshooting connection issues
> - You've just inserted an extra listening point for an adversary to use
> - If you're using a transparent solution and it breaks, you may find
> yourself working without your extra level of 'protection'
> - Depending on your solution, it may change your request signature (a 
> lot
> of work has gone into TBB to make all look the same, you don't want 
> your
> user-agent to suddenly becomes 'squid' for example)
> 
> In my setup, traffic transits my network in the clear (at least in a
> metadata sense) before reaching Tor, there's no reason you necessarily 
> need
> to do that as you could set something similar up on a single box.
> 
> So whilst tor won't do application level filtering for you, you can 
> insert
> some filtering into the chain, as long as you weigh the risks (and I've
> likely omitted some)
> 
>> spencerone[at]opmbx.org:
>> But I am more asking if Tor can be used as part of a filter, with some
>> sort of application allowing for more control, maybe even of what is 
>> sent
>> to the entry.  It seems there has been some discussion regarding 'Tor
>> Router/Firewall', though it's only cited as a bullet in a list. I 
>> might be
>> misreading, but a Tails document refers to a 'Network Filter'.  I 
>> don't
>> only want to allow or deny network connections, like with Tails, but 
>> filter
>> out certain things as well, maybe with something smaller like a 
>> browser or
>> application firewall.
>> 
>>> WhonixQubes:
>>> Sounds like you are looking for what is known as an "Application
>>> Firewall".
>>> 
>>> 
>> I am, is there any value to combining incoming access
>> to the Tor network and outgoing connections from applications as a
>> standalone tool?  Vs using Little Snitch or built-in firewalls 
>> separately
>> from a Tor application like Tor Browser.
>> 

Thanks for this!

Wordlife,
Spencer

[0] 
https://lists.torproject.org/pipermail/tor-talk/2015-February/036719.html
[1] http://cryptographi.com/products/snoopsafe

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

