Linux (original) (raw)

�� Tor-�� BSD (transparent Tor-proxy �� anonymizing middlebox)

��, �� www �� Tor-faq, �� OpenBSD PF ��-�� , �, �� , �� . �� PF. �� — �� Tor, �� Tor-�� (� �� ).

�� — fxp0, � �� — vr0 � vr1. �� OpenBSD � NetBSD. �� Tor �� tor (_tor) � �� tor (_tor) �� NetBSD (OpenBSD). �� vipw �� (�� UID, �� , �� , ��, tor1 � tor2). �� tor-�� :

$ cat torrc_1 SocksPort 9050 SocksListenAddress 127.0.0.1 RunAsDaemon 1 DataDirectory /tmp/tor_1 User tor1 AutomapHostsOnResolve 1 Log notice file /tmp/tor_1.log VirtualAddrNetwork 10.192.0.0/10 TransPort 9060 DNSPort 5353

$ cat torrc_2 SocksPort 8050 SocksListenAddress 127.0.0.1 RunAsDaemon 1 DataDirectory /tmp/tor_2 User tor2 AutomapHostsOnResolve 1 Log notice file /tmp/tor_2.log VirtualAddrNetwork 172.16.0.0/12 TransPort 8060 DNSPort 5363

� �� 1. �� /etc/rc.local ��

/usr/local/bin/tor -f /path/to/torrc_1 /usr/local/bin/tor -f /path/to/torrc_2

�� OpenBSD �

/usr/pkg/bin/tor -f /path/to/torrc_1 /usr/pkg/bin/tor -f /path/to/torrc_2

�� NetBSD.

�� www Tor-faq, �� /dev/pf �� OpenBSD, �� NetBSD, �� :

chgrp tor /dev/pf

chmod g=r /dev/pf

�� NetBSD 5.0.2, NetBSD 5.1 � OpenBSD 4.52:

in0 = "vr0" IPin0 = "IP_��_vr0" net0 = "��_��_vr0" TransPort0 = "9060" DnsPort0 = "5353"

in1 = "vr1" IPin1 = "IP_��_vr1" net1 = "��_��_vr1" TransPort1 = "8060" DnsPort1 = "5363"

out0 = "fxp0" IPout0 = "IP_��_fxp0"

lh = "localhost" tor_users = "{ tor1, tor2 }"

scrub all no-df random-id min-ttl 128

rdr on in0inetprototcpfromin0 inet proto tcp from in0inetprototcpfromnet0 to ! IPin0−>127.0.0.1portIPin0 -> 127.0.0.1 port IPin0−>127.0.0.1portTransPort0 rdr on in0inetprotoudpfromin0 inet proto udp from in0inetprotoudpfromnet0 to ! IPin0portdomain−>127.0.0.1portIPin0 port domain -> 127.0.0.1 port IPin0portdomain−>127.0.0.1portDnsPort0

rdr on in1inetprototcpfromin1 inet proto tcp from in1inetprototcpfromnet1 to ! IPin1−>127.0.0.1portIPin1 -> 127.0.0.1 port IPin1−>127.0.0.1portTransPort1 rdr on in1inetprotoudpfromin1 inet proto udp from in1inetprotoudpfromnet1 to ! IPin1portdomain−>127.0.0.1portIPin1 port domain -> 127.0.0.1 port IPin1portdomain−>127.0.0.1portDnsPort1

block all block in quick from any os NMAP antispoof log quick for {$in0,$in1,$out0}

pass in on in0inetprototcpfromin0 inet proto tcp from in0inetprototcpfromnet0 to lhportlh port lhportTransPort0 user root pass in on in0inetprotoudpfromin0 inet proto udp from in0inetprotoudpfromnet0 to lhportlh port lhportDnsPort0 user root

pass in on in1inetprototcpfromin1 inet proto tcp from in1inetprototcpfromnet1 to lhportlh port lhportTransPort1 user root pass in on in1inetprotoudpfromin1 inet proto udp from in1inetprotoudpfromnet1 to lhportlh port lhportDnsPort1 user root

pass out on out0inetprototcpfromout0 inet proto tcp from out0inetprototcpfromIPout0 to any user $tor_users

block inet6 all

��

block all block in quick from any os NMAP antispoof log quick for {$in0,$in1,$out0}

��

� ��

tcpdump -i pflog0 -n -e action block

�� , �� PF (�� ). �� actions �� OpenBSD. �� , �� "block all" �� nmap � ��, ��, ��3.

�� OpenBSD 4.8 � �� PF �� 4:

match in on in0inetprototcpfromin0 inet proto tcp from in0inetprototcpfromnet0 to ! IPin0rdr−to127.0.0.1portIPin0 rdr-to 127.0.0.1 port IPin0rdr−to127.0.0.1portTransPort0 match in on in0inetprotoudpfromin0 inet proto udp from in0inetprotoudpfromnet0 to ! IPin0portdomainrdr−to127.0.0.1portIPin0 port domain rdr-to 127.0.0.1 port IPin0portdomainrdr−to127.0.0.1portDnsPort0

match in on in1inetprototcpfromin1 inet proto tcp from in1inetprototcpfromnet1 to ! IPin1rdr−to127.0.0.1portIPin1 rdr-to 127.0.0.1 port IPin1rdr−to127.0.0.1portTransPort1 match in on in1inetprotoudpfromin1 inet proto udp from in1inetprotoudpfromnet1 to ! IPin1portdomainrdr−to127.0.0.1portIPin1 port domain rdr-to 127.0.0.1 port IPin1portdomainrdr−to127.0.0.1portDnsPort1

block all block in quick from any os NMAP antispoof quick for {$in0,$in1,$out0}

pass in on in0inetprototcpfromin0 inet proto tcp from in0inetprototcpfromnet0 to lhportlh port lhportTransPort0 user unknown pass in on in0inetprotoudpfromin0 inet proto udp from in0inetprotoudpfromnet0 to lhportlh port lhportDnsPort0 user unknown

pass in on in1inetprototcpfromin1 inet proto tcp from in1inetprototcpfromnet1 to lhportlh port lhportTransPort1 user unknown pass in on in1inetprotoudpfromin1 inet proto udp from in1inetprotoudpfromnet1 to lhportlh port lhportDnsPort1 user unknown

pass out on out0inetprototcpfromout0 inet proto tcp from out0inetprototcpfromIPout0 to any user $tor_users block inet6 all

�� PF �� Tor-��. �� -�� (�� ssh, ��) �� .

��:

�� . �� PF (�.�. ��) �� user root, � �� — �� user unknown5, �� user � man pf.conf �� . �� tor �� user tor6, �� PF, �� -�� , �� (� �� root, �.�. �� /etc/rc.local). �� , �� , �� user unknown, �� — �� , �� , �� 7. � �� pass in �� (�� rdr, � �� Tor. �� , �� rdr �� user, �� pass in �� root [��. �� ]).
� Tor-faq �� (�� ), �� /�� . �� (� �� ), �� . �� , �� , �� PF �� 3.

�� mklivecd �� NetBSD LiveCD, �� Tor-�� 8. �� (�� in0 � in1 �� ).

P.S.: �� local redirection �� , �� PF-�� Linux-�� .

1�� /tmp �� mfs.
2� NetBSD 3.0 �� Tor �� pkgsrc �� (�� ), �� .
3�� , �� , �� .
4�� "��" �� .
5�� .
6�� user, �� .
7��, user root �� pass in �� ssh.
8��-�� OpenBSD LiveCD � �� , � �� how-to �� OpenBSD � �� 4.8 (�� boot �� LiveCD). �� FreeBSD �� LiveCD, �� .

��������� Tor-������� ��� BSD (transparent Tor-proxy ��� anonymizing middlebox)

chgrp tor /dev/pf

chmod g=r /dev/pf

tcpdump -i pflog0 -n -e action block

�� Tor-�� BSD (transparent Tor-proxy �� anonymizing middlebox)