Hello,
I am trying to set up Tor (the onion router) as a transparent proxy
using a suggested PF ruleset.
It doesn't work though, and I cant figure out how the PF ruleset is
supposed to work, so maybe someone can help me understand/fix it?
The idea is that PF sends all TCP traffic to Tor's transparent proxy
port, and all DNS requests to Tor's DNS port,
and blocks everything else (Tor only supports TCP)
There is also something about mapping virtual IP addresses:
I am guessing it makes a reply to the local DNS requests to send it to
addresses Tor is bound to?
I think my problem is that I am trying to use DHCP (so I can connect to
new networks without reconfiguring)
with it and the ruleset looks like its set up for a static IP.
Anyway here is the setup recommended by the Tor wiki, with my notes on
what I think its supposed to do.
Maybe people can correct me where I'm wrong. I cant find the person that
wrote the wiki page and most of the
Tor users don't know anything about PF. I have been reading about PF and
trying to decipher it for several days
but its very confusing for me.
First edit resolv.conf to read:
lookup file bind
nameserver 127.0.0.1
# I think this is to redirect all DNS requests to Tor (which listens
on port 53)
# One problem with DHCP is that this file is overwritten with every boot
Then:
ifconfig lo1 create up 127.0.0.2
# creates a new loopback interface lo1 and binds it to 127.0.0.2?
# lo interfaces loop back to allow local communication
Then edit pf.conf:
# destinations you don't want routed through Tor
non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"
# 192.168.*.* are local network addresses (but what is what?)
# Tor's TransPort
trans_port = "9040"
scrub in
# cleans up packet fragmentation etc. when incoming
rdr pass on lo1 inet proto tcp all -> 127.0.0.1 port $trans_port
# any packets not matching below rules: pass incoming and
outgoing TCP traffic in lo1 to Tor
rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port domain
# any packets not matching below rules: pass incoming and
outgoing UDP traffic in lo1 to the local address (and Tor if it is port 53)
block return out
# any outgoing packets not matching below rules are dropped and
an error is returned
pass out quick on lo0 route-to lo1 inet proto tcp to 127.192.0.0/10
flags S/SA modulate state
# passes any TCP leaving lo0 to lo1 and then to whatever virtual
address tor assigned
pass quick on { lo0 lo1 } keep state
# ?
pass out quick inet to $non_tor keep state
# any packets matching non tor addresses are passed out
pass out quick inet proto tcp user _tor flags S/SA modulate state
# any outgoing TCP packets from _tor user are passed out
pass out quick route-to lo1 inet proto udp to port domain keep state
# send outgoing UDP packets first to lo1 and then to whaterver
port/domain specified
pass out route-to lo1 inet proto tcp all flags S/SA modulate state
# send outgoing TCP packets to lo1 and then ?
Start up Tor and load the new PF ruleset
It seems overly complicated to me. Why the multiple loopback interfaces?
I wouldn't think that the PF ruleset needs to be that complex.
Just something like:
Get assigned IP addresses from DHCP
# (no idea how to do this)
If the traffic originates from the _tor user, let it through
Maybe something here about letting some kinds of system traffic
through (like DHCP handshakes)
Send all outgoing TCP traffic to Tor's transparent proxy port
Send all outgoing UDP DNS requests to Tor's DNS port
Block all other outgoing requests
Maybe someone can help me understand this better so I can rewrite the PF
ruleset.
Thanks!
