Anonymizer tool like Tor?

T. freebsd-questions at
Thu Mar 12 10:47:09 PDT 2009

Gilles wrote:
> On Thu, 12 Mar 2009 10:42:53 +0100, Andreas Rudisch <"cyb.">
> wrote:
>> /usr/ports/security/tor/
> Thanks Andeas. Up to now, I only used the Tor client for Windows that
> comes with Privoxy, so never used Tor as-is, and never on the command
> line.
> If someone's used to using Tor, I have a couple of questions. On
> FreeBSD, I intend to use it to run a Python script to connect to a
> remote web server and download pages.
> Do I need to start the Tor server? Do I need a web proxy like Privoxy,
> or is the Tor client enough? How do set things up so my Python scripts
> connects to Tor?

As with all things BSD, the tor server potential is a lot more valuable 
than it's tor user potential.
All the user gadgets (vidialia, privoxy, etc.) are very fallible. As 
long as your machine has a routable connection to the internet, your 
machine can be tricked into revealing it's IP, in sooo many ways.
I realize this is only some minor corporate espionage, but bad practice 
is bad practice. Don't feel safe with it.

You want a transparent tor proxy, which you setup with freebsd and pf.

You setup a separate lan with any number of machines (virtual 
machines?), all using the tor server as their default gateway and dns 
To the client machines, all they see is 100% normal internet traffic. 
They don't need tor, vidalia, privoxy or any other gizmos.
It's completely transparent. Bear in mind, anything not encrypted is 
exposed to the exit router and everything else it normally would be.

If you google Tor Transparent Proxy, this should be your first link:
Half way down they have the BSD / pf setup.

Things not mentioned there (quite a few actually):
You do not want to run tor as root, which unfortunately takes some 
tweeking to run properly as the default _tor user.
Yes, you want to "start tor" automatically on boot with rc.conf:

You want routing disabled, you're actually doing redirection through pf, 
not routing.
In pf.conf you want, at least:
trans_port = "9040"
transdns_port = "53"
set skip on lo
scrub in
rdr pass on $int_if inet proto tcp to !($int_if) -> port 
rdr pass on $int_if inet proto udp to port domain -> port 

You need to set group ownership on /dev/pf to _tor and set suitable 
permissions or sort this out somehow. _tor user needs access to /dev/pf
And put this in devfs.conf so it survives a reboot.
own     pf      root:_tor
perm    pf      0660

You need to set net.inet.ip.portrange.reservedlow=54 or use some other 
method to allow the _tor user to bind to privileged ports.
And put this in sysctl.conf so it survives a reboot.
Obviously you should also run tor in a jail, but I'm not going to detail 

I had some bugginess with port binding, so I found it works best if you 
explicitly state, like so in /usr/local/etc/tor/torrc

AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
RunAsDaemon 1
ControlPort 9051

Where is the tor server's IP address of the interface being 
provided to the private LAN that will us it as their Default Gateway.
Note also that if you try to set a ControlListenAddress without 
authentication setup, it will close all Control Ports on startup. So 
just leave it local.
If it's not obvious, yes it's assumed you have a 2nd interface with a 
valid IP connected to a LAN that has a route to the internet.

A major thing lacking is a command line tor control utility. And this is 
Sometimes you get crappy circuits, sometimes you get a hacker who is 
trying to SSL / SSH M-i-t-M you.
You need to be able to flush the router and grab new circuits on demand.
I just enable the control port locally and telnet to it.
To get new circuits, on the control port (assuming you haven't set any 


Then flush pf:
pfctl -F all

pftop is nice for watching your tor circuits (in ports).

More information about the freebsd-questions mailing list