Anonymizer tool like Tor?
freebsd-questions at lists.goldenpath.org
Thu Mar 12 10:47:09 PDT 2009
> On Thu, 12 Mar 2009 10:42:53 +0100, Andreas Rudisch <"cyb."@gmx.net>
> Thanks Andeas. Up to now, I only used the Tor client for Windows that
> comes with Privoxy, so never used Tor as-is, and never on the command
> If someone's used to using Tor, I have a couple of questions. On
> FreeBSD, I intend to use it to run a Python script to connect to a
> remote web server and download pages.
> Do I need to start the Tor server? Do I need a web proxy like Privoxy,
> or is the Tor client enough? How do set things up so my Python scripts
> connects to Tor?
As with all things BSD, the tor server potential is a lot more valuable
than it's tor user potential.
All the user gadgets (vidialia, privoxy, etc.) are very fallible. As
long as your machine has a routable connection to the internet, your
machine can be tricked into revealing it's IP, in sooo many ways.
I realize this is only some minor corporate espionage, but bad practice
is bad practice. Don't feel safe with it.
You want a transparent tor proxy, which you setup with freebsd and pf.
You setup a separate lan with any number of machines (virtual
machines?), all using the tor server as their default gateway and dns
To the client machines, all they see is 100% normal internet traffic.
They don't need tor, vidalia, privoxy or any other gizmos.
It's completely transparent. Bear in mind, anything not encrypted is
exposed to the exit router and everything else it normally would be.
If you google Tor Transparent Proxy, this should be your first link:
Half way down they have the BSD / pf setup.
Things not mentioned there (quite a few actually):
You do not want to run tor as root, which unfortunately takes some
tweeking to run properly as the default _tor user.
Yes, you want to "start tor" automatically on boot with rc.conf:
You want routing disabled, you're actually doing redirection through pf,
In pf.conf you want, at least:
trans_port = "9040"
transdns_port = "53"
set skip on lo
rdr pass on $int_if inet proto tcp to !($int_if) -> 127.0.0.1 port
rdr pass on $int_if inet proto udp to port domain -> 127.0.0.1 port
You need to set group ownership on /dev/pf to _tor and set suitable
permissions or sort this out somehow. _tor user needs access to /dev/pf
And put this in devfs.conf so it survives a reboot.
own pf root:_tor
perm pf 0660
You need to set net.inet.ip.portrange.reservedlow=54 or use some other
method to allow the _tor user to bind to privileged ports.
And put this in sysctl.conf so it survives a reboot.
Obviously you should also run tor in a jail, but I'm not going to detail
I had some bugginess with port binding, so I found it works best if you
explicitly state, like so in /usr/local/etc/tor/torrc
Where 192.168.0.1 is the tor server's IP address of the interface being
provided to the private LAN that will us it as their Default Gateway.
Note also that if you try to set a ControlListenAddress without
authentication setup, it will close all Control Ports on startup. So
just leave it local.
If it's not obvious, yes it's assumed you have a 2nd interface with a
valid IP connected to a LAN that has a route to the internet.
A major thing lacking is a command line tor control utility. And this is
Sometimes you get crappy circuits, sometimes you get a hacker who is
trying to SSL / SSH M-i-t-M you.
You need to be able to flush the router and grab new circuits on demand.
I just enable the control port locally and telnet to it.
To get new circuits, on the control port (assuming you haven't set any
Then flush pf:
pfctl -F all
pftop is nice for watching your tor circuits (in ports).
More information about the freebsd-questions