Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 3eaa9a376c
Branches Tags
tor
/
doc
/
spec
/
tor-fw-helper-spec.txt

tor-fw-helper-spec.txt 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. 

  2.                           Tor's (little) Firewall Helper specification
    3. 

  3.                                       Jacob Appelbaum
    4. 

  4. 

  5. 0. Preface
    6. 

  6. 

  7.  This document describes issues faced by Tor users who are behind NAT devices
    8. 

  8.  and wish to share their resources with the rest of the Tor network. It also
    9. 

  9.  explains a possible solution for some NAT devices.
    10. 

  10. 

  11. 1. Overview
    12. 

  12. 

  13.  Tor users often wish to relay traffic for the Tor network and their upstream
    14. 

  14.  firewall thwarts their attempted generosity.  Automatic port forwarding
    15. 

  15.  configuration for many consumer NAT devices is often available with two common
    16. 

  16.  protocols NAT-PMP[0] and UPnP[1].
    17. 

  17. 

  18. 2. Implementation
    19. 

  19. 

  20.  tor-fw-helper is a program that implements basic port forwarding requests; it
    21. 

  21.  may be used alone or called from Tor itself.
    22. 

  22. 

  23. 2.1 Output format
    24. 

  24. 

  25.  When tor-fw-helper has completed the requested action successfully, it will
    26. 

  26.  report the following message to standard output:
    27. 

  27. 

  28.     tor-fw-helper: SUCCESS
    29. 

  29. 

  30.  If tor-fw-helper was unable to complete the requested action successfully, it
    31. 

  31.  will report the following message to standard error:
    32. 

  32. 

  33.     tor-fw-helper: FAILURE
    34. 

  34. 

  35.  All informational messages are printed to standard output; all error messages
    36. 

  36.  are printed to standard error. Messages other than SUCCESS and FAILURE
    37. 

  37.  may be printed by any compliant tor-fw-helper.
    38. 

  38. 

  39. 2.2 Output format stability
    40. 

  40. 

  41.  The above SUCCESS and FAILURE messages are the only stable output formats
    42. 

  42.  provided by this specification. tor-fw-helper-spec compliant implementations
    43. 

  43.  must return SUCCESS or FAILURE as defined above.
    44. 

  44. 

  45. 3. Security Concerns
    46. 

  46. 

  47.  It is probably best to hand configure port forwarding and in the process, we
    48. 

  48.  suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing
    49. 

  49.  to users and so we support automatic, non-authenticated NAT port mapping
    50. 

  50.  protocols with compliant tor-fw-helper applications.
    51. 

  51. 

  52.  NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks
    53. 

  53.  to deal with the shortcomings of user education about TCP/IP, IPv4 shortages,
    54. 

  54.  and of course, NAT devices that suffer from horrible user interface design.
    55. 

  55. 

  56. [0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
    57. 

  57. [1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play
    58.