From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 11:21:40 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 85B43F45 for ; Mon, 4 Mar 2013 11:21:40 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by mx1.freebsd.org (Postfix) with ESMTP id 484C910DF for ; Mon, 4 Mar 2013 11:21:40 +0000 (UTC) Received: from [78.35.136.40] (helo=fabiankeil.de) by smtprelay06.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1UCTLa-0005rb-I0; Mon, 04 Mar 2013 12:14:22 +0100 Date: Mon, 4 Mar 2013 12:09:34 +0100 From: Fabian Keil To: Robert Simmons Subject: Re: Using pf and Tor DNS port Message-ID: <20130304120934.1842869b@fabiankeil.de> In-Reply-To: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/0v6F_kl7GYF5pvkACDqjHGk"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 11:21:40 -0000 --Sig_/0v6F_kl7GYF5pvkACDqjHGk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Robert Simmons wrote: > I am having problems setting up Tor's DNSPort using pf. In FreeBSD > 8.x I was able to just run Tor with the "DNSPort 53" config file > option with no problems. Now, with 9.1, when I run it with that > option, I get a permission denied error when trying to bind port 53 on > localhost. I assume this is from tighter reserved port restrictions: > now you must be root. I'm reasonably sure that this was the default for 8.x as well. Are you sure you are using the same configuration? > Running Tor as root is not recommended, so I'm > trying to forward all traffic from localhost port 53 to port 9053 > where I have Tor configured to listen now. >=20 > I created a second loopback like so: > ifconfig lo1 create up 127.0.0.2 >=20 > I added the following two rules: > rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port 9053 > pass out quick route-to lo1 inet proto udp to port domain keep state >=20 > The above is not working. Any suggestions? Without knowing how it's not working and how the rest of the rules look like, it's hard to come up with specific suggestions. I don't need the port restrictions on my Tor-running systems and thus just set: net.inet.ip.portrange.reservedhigh=3D52 and let Tor bind to 53 directly. Fabian --Sig_/0v6F_kl7GYF5pvkACDqjHGk Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlE0gPEACgkQBYqIVf93VJ3bkQCgqUjTVCIuSWJpMFS6V6Tjwk7W Y3gAn1+aRAIVZ8+1A2pe3vRqnyHnhHz7 =1tFa -----END PGP SIGNATURE----- --Sig_/0v6F_kl7GYF5pvkACDqjHGk--