Home Explore Help
Register Sign In
JeremyRand
/
torspec
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: stream-event-isolation
Branches Tags
torspec
/
tor-fw-helper-spec.txt

tor-fw-helper-spec.txt 2.6 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. 

  2.                           Tor's (little) Firewall Helper specification
    3. 

  3.                                       Jacob Appelbaum
    4. 

  4. 

  5. 0. Preface
    6. 

  6. 

  7.  This document describes issues faced by Tor users who are behind NAT devices
    8. 

  8.  and wish to share their resources with the rest of the Tor network. It also
    9. 

  9.  explains a possible solution for some NAT devices.
    10. 

  10. 

  11. 1. Overview
    12. 

  12. 

  13.  Tor users often wish to relay traffic for the Tor network and their upstream
    14. 

  14.  firewall thwarts their attempted generosity.  Automatic port forwarding
    15. 

  15.  configuration for many consumer NAT devices is often available with two common
    16. 

  16.  protocols NAT-PMP[0] and UPnP[1].
    17. 

  17. 

  18. 2. Implementation
    19. 

  19. 

  20.  tor-fw-helper is a program that implements basic port forwarding requests; it
    21. 

  21.  may be used alone or called from Tor itself.
    22. 

  22. 

  23. 2.1 Output format
    24. 

  24. 

  25. 2.1.1. Motivation
    26. 

  26. 

  27.  tor-fw-helper should be able to signal to tor whether its actions
    28. 

  28.  succeeded so that tor can act accordingly. For this reason it's
    29. 

  29.  important to standarize the output format of tor-fw-helper.
    30. 

  30. 

  31.  tor-fw-helper outputs signalling commands to stdout, and debugging
    32. 

  32.  messages to stderr. This means that a program that launches
    33. 

  33.  tor-fw-helper only needs to monitor stdout to learn its status.
    34. 

  34. 

  35. 2.1.2. TCP forwarding output
    36. 

  36. 

  37.  When tor-fw-helper completes a TCP forwarding action, it prints the
    38. 

  38.  following message to standard output:
    39. 

  39. 

  40.     tor-fw-helper tcp-forwarding <external port> <internal port> <status> [<message>]
    41. 

  41. 

  42.  where,
    43. 

  43. 

  44.  <external port>, is the TCP port in the external side of the NAT
    45. 

  45.                   device that was forwarded.
    46. 

  46.  <internal port>, is the TCP port in the internal side of the NAT
    47. 

  47.                   device that accepts forwarded traffic.
    48. 

  48.  <status>, is either "SUCCESS" or "FAIL".
    49. 

  49.  <message>, is an optional supplementary message that can include
    50. 

  50.             multiple words.
    51. 

  51. 

  52.  For example, upon successfully using NAT-PMP to forward connections from
    53. 

  53.  port '4200' to port '4333', tor-fw-helper would output in stdout:
    54. 

  54. 

  55.     tor-fw-helper tcp-forwarding 4200 4333 SUCCESS NAT-PMP succeded
    56. 

  56. 

  57. 3. Security Concerns
    58. 

  58. 

  59.  It is probably best to hand configure port forwarding and in the process, we
    60. 

  60.  suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing
    61. 

  61.  to users and so we support automatic, non-authenticated NAT port mapping
    62. 

  62.  protocols with compliant tor-fw-helper applications.
    63. 

  63. 

  64.  NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks
    65. 

  65.  to deal with the shortcomings of user education about TCP/IP, IPv4 shortages,
    66. 

  66.  and of course, NAT devices that suffer from horrible user interface design.
    67. 

  67. 

  68. [0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
    69. 

  69. [1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play
    70. 

  70.