logs archiveIRC Archive / Oftc / #tor / 2009 / December / 12 / 1
fossiiil
hi again
Hoppi
Hi, I have a quick question about TOR with Firefox :)
just something that's much quicker simply asked than if I hunted the net for an answer! :)
fossiiil_
hello
Hoppi
heya :)
basically my query is
i am currently using privoxy instead of polipo, simply because privoxy seemed to have an easier time picking up it's config file and is also apparently a tad harder to detect?
but i am using tobutton, which seems to prefer polipo
Sebastian
it doesn't care, actually
either is fine
Hoppi
does it work fine with privoxy, and should i consider switching to polipo?
oh ok
what is that little tickbox for about "use polipo" or something? :)
fossiiil_
Can somebody explain me, why we use filter table and not just nat in http://pastebin.com/df0b2e2 ?
Sebastian
Hoppi: it could say "Use Polipo/Privoxy"
Hoppi
oh so, what does that box do?
and that's awesome torbutton works with both :)
         

fossiiil_
i'm trying to avoid leaks using transparent proxy with iptables...
can we discuiss the rules, from first to last?
i made exact copy from http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
Sebastian
Hoppi: it directs torbutton to use your proxy
fossiiil_
it's on pastebin above...i decided to use pastebin because it adds line numbers...so the first rule is on line 14
Hoppi
oh ok :)
thank you :)
yeah it seems to be working fine atm
fossiiil_
lines 14,15 are simply flushing filter & nat table, clear
line 17 rule tells to use default chain policy (accept) for packets leaving local machine, generated by Tor process ... fine, clear
lines 18-20 tell to accept packets that were sent to local machine...fine, they do not betray us, since they do not leave network card
line 21 redirects packets to ANY dns server on Internet (udp/53) to local dns server (see DNSPort in /etc/tor/torrc), fine ... we avoid DNS leaks
now i'd just redirect everything else to TRANS_PORT ...
see TransPort in /etc/tor/torrc
but the rest, lines 22 - 29 are confusing me...
ok...tor cannot transport UDP...right?
Sebastian
right, tor cannot transport udp
fossiiil_
ok, ok...but it's still confusing me
i found this picture about iptables, because i was puzzled how the nat/filter/mangle/... tables interact
maybe i don't really understand the REJECT target, though linux manpage says:
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
let's consider rule on line #17
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
i don't understand what is 'calling chain'
i'd really want to understand this
nsa
or: sebastian committed revision 21146 (/projects/todo): new branch, hopefully this approach is better
falafell
hi
gouki
Guys, I found an article with links to two hidden service search engines, for the Tor network. Both of them are offline. Is there a search engine available?
xtoaster
there seems to be 3 search engine on onion network.
Sebastian
gouki: hidden services come on and off unpredictably. I currently don't know of a working search engine, sorry. You oculd try onionforum or the hidden wiki to discover pages
gouki: also, quite a few pages have been indexed by google through tor2web
xtoaster
toogle torgle y** *dont remember
gouki
Thank you very much.
Also, another thing ... What is the best way to limit my relay to use only 150GB of bandwidth per month?
falafell
my tor isnt working i get error with cache data path
phobos
gouki: accountingmax
or man tor
gouki
OK
Sebastian
gouki: there are two things to consider
a) you should try to keep your relay running continously, even if that means a lower bandwidth
b) you can't have too little bandwidth
phobos
accountingmax will figure out a good average rate
Sebastian
no it won't
it will max it out, and the hibernate
         

phobos
mine seems to
Sebastian
hrm.
(Action) goes to check
phobos
at least 0.2.2.6-alpha
Sebastian
can't find anything that would make that true.
hrm
gouki
I was going to use this: http://paste.ubuntu.com/339644/
What do you guys think?
Won't reach the limit in only a few hours.
Sebastian
right, that's not very useful
going down once a day isn't very useful
gouki
It's not?
Sebastian
if you have a monthly limit, try to run for a few days straight
gouki
Sebastian, so you don't think that's a good configuration?
Sebastian
every time your relay shuts down, all open connections are broken, etc
gouki: no, in your case, saying 60GB and monthly is much better
gouki
Is it 60GB x 2? (up/down)
Sebastian
yes
gouki
AccountingStart month 1 0:00
AccountingMax 60 GB
Then?
And I lose the RelayBandwidth* configurations.
Burst and Rate.
Sebastian
Yep, that can work.
Or set it to 1MB/sec or something.
nsa
or: sebastian committed revision 21147 (/projects/todo): more new branches
Sebastian
gimme moar branches
gouki
I'm going to give it a try with:
AccountingStart month 1 00:00
AccountingMax 80 GB
160GB/month.
Sebastian
ok. Please observe and report back how it works for you
gouki
Sebastian, sure. Thank you very much.
Sebastian
thank you for running a relay :-)
There's a relay operators mailing list, btw. If you're interested
http://archives.seul.org/tor/relays/
gouki
Yeah. On it :)
Sebastian
neat
gouki
Not having DirPort could also save some bandwidth, right?
Sebastian
yes
where "save" means "make available for Tor users' data"
gouki
Thought about it because of the following notice:
[notice] Not advertising DirPort (Reason: AccountingMax enabled)
Sebastian
ah
you won't do it anyways, then
gouki
Yeah :)
So maybe 80GB will last a couple of days :)
Sebastian
yup
gouki
Well, 2AM. time for bed.
Good night everyone.
Sebastian
hehe, 4am ;)
sleep well.
fossiiil
I think i found uneeded step, setting up transparent proxy on http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
In 2.2:
Configure your system's DNS resolver to use Tor's DNSPort on the loopback interface by modifying /etc/resolv.conf.
Sebastian
fossiiil: it's a wiki, edit it appropriately?
fossiiil
nameserver 127.0.0.1
i'd like to explain before causing some unwanted damage...
i'm just learning iptables, it's 4:30 here
and was playing with it's logging facility (-j LOG)
this rule: iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
Sebastian
fossiiil: ok. Feel free, let's hope the person who knows is around.
fossiiil
if you have "DNSPort 53" in torrc, it tells Tor to open DNS resolver on port 53...right....
dr|z3d
Yup.
fossiiil
and this rule says (verified with manpage+iptables LOG) that any dns request to any server (like foo:53) will get rewritten to localhost:53 (Tor's resolver)
so, editing /etc/resolv.conf is absolutely not needed
that's how i understand it and verified...
keb
yess
fossiiil
i can fire tcpdump just for kicks now...
keb
well the Tor client on your computer listens on that port and send dns requests over the tor network to be resolved
fossiiil
yes
arma
i hope none of your applications try to make requests using parts of the dns protocol that tor doesn't support :)
fossiiil
arma: i'm not sure...
but according to the text in 2.2. Local Redirection Through Tor, it looks like it's needed to edit /etc/resolv.conf before applying that iptables rules...
keb
dig might be one app which can do the full range of dns things
fossiiil
the whole point is that you can turn that transparent proxy on/off without editing /etc/resolv.conf or any other system file...just by adding/removing iptables rules
ok, my two cents :-)
can i manually increase the number of hops in circuit?
the default is 3 hops...can it be changed?
keb
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#VariablePathLength
fossiiil
i had wierd idea of ssh tunelling (to protect sniffing data coming out of my PC) through this transparent proxy to box in internet i have with friends that has Privoxy+Tor installed...that makes 6 hops...but encrypts traffic from my PC...
keb
why not put tor on your pc
fossiiil
i have Tor client
will it work? I'm behind NAT
And it's my home PC i run only few hours a day
keb
if you just want to be sure no one reads the contents of your traffic to your friends pc, ssh tunnel is enough. if you want to ensure no one else knows that your pc and your friends pc is connected, then put the ssh tunnel through tor
xtoaster
why not setup a hs
keb
(hidden service)
xtoaster
and connect to each other.
fossiiil
keb: nice :-)
keb
xtoaster you mean each sets up an ssh server on a hidden service, and then they use ssh with machine names of *.onion ?
fossiiil
that's pretty paranoid solution
xtoaster
uh, there is a onioncat
its vpn stuff through hs
maybe that could be what we need.
since when a client connect to a hs, a port-to-port tunnel is established, I think to use ssh or not, depends on what kind of connection to push through this tunnel.
keb
yah you could just use telnet
or open a xterm
xtoaster
well, if that is not enough, pls give onioncat a look. eagle is proud of his work :-)
http://www.cypherpunk.at/onioncat/
keb
are there a summary statistics for a given tor relay of how many circuits were made thru it?
Sebastian
keb: you can send a usr1 signal to make it dump statistics in its logfile. If it isn't in there, I suppose no.
keb
ah yes i enabled stats. i should check said logfile
Sebastian
"enabled stats"? I guess you mean one of the options karsten implemented a little while ago and that you can turn on in your config. That's not what I mean
keb
ok
xtoaster
what about established connection/2
keb
wow that dumped a lot of stuff
Sebastian
yup
keb
xtoaster SIGUSR1 seems to dump current connections too
fossiiil
he means remotely, probably ;-)
xtoaster
good to know it works
arma
(Action) remembers onioncat and puts it on his upcoming list of tor-related projects. thanks
xtoaster
(Action) tips his hat to arma
Sebastian
onioncat will have major problems once we're forced to use longer .onion names :( It already doesn't work with hidden service using authentication
it is a very neat idea, though
keb
why arent .onion names long enough
Sebastian
at some point, it will be feasible to brute force an adderss
address*
arma
we're already skimping on the sha1 quite a bit
ever notice how lots of .onion addresses have recognizable looking names?
keb
yeah they keep trying til they get one readable
shallot or something
Sebastian
generating a name that started with "sebastianha" didn't take more than 2 weeks
that's already 11 out of 16 chars, on non-optimized hardware
xtoaster
:-D
keb
i guess there is a problem if the hidden services are effectively sequentially numbered
Sebastian
It'd be interesting to learn how long a playstation cluster with optimized software would need to generate a .onion address.
keb: I don't understand
keb
an attacker would know exactly how many are extant
arma
(Action) adds shallot to his upcoming list too
keb
and be able to target each one with various attacks
Sebastian
keb: still not getting exactly what you're hinting at
keb
in other words, my question is, why arent they just numbered sequentially in the order the directory servers learn about them
Sebastian
ah
that's not possible at all
let me tell you a little about how it wokrs
works*
keb
i read in the spec how it generates the id
Sebastian
A hidden service, before it can start operating, needs to generate an identity key. This key will be needed to verify to someone who connects to the hidden service that the hidden service really is the one it pretends to be
« prev 1 2 3 4 next »