tor-fw-helper-spec.txt 2.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
  1. Tor's (little) Firewall Helper specification
  2. Jacob Appelbaum
  3. 0. Preface
  4. This document describes issues faced by Tor users who are behind NAT devices
  5. and wish to share their resources with the rest of the Tor network. It also
  6. explains a possible solution for some NAT devices.
  7. 1. Overview
  8. Tor users often wish to relay traffic for the Tor network and their upstream
  9. firewall thwarts their attempted generosity. Automatic port forwarding
  10. configuration for many consumer NAT devices is often available with two common
  11. protocols NAT-PMP[0] and UPnP[1].
  12. 2. Implementation
  13. tor-fw-helper is a program that implements basic port forwarding requests; it
  14. may be used alone or called from Tor itself.
  15. 2.1 Output format
  16. When tor-fw-helper has completed the requested action successfully, it will
  17. report the following message to standard output:
  18. tor-fw-helper: SUCCESS
  19. If tor-fw-helper was unable to complete the requested action successfully, it
  20. will report the following message to standard error:
  21. tor-fw-helper: FAILURE
  22. All informational messages are printed to standard output; all error messages
  23. are printed to standard error. Messages other than SUCCESS and FAILURE
  24. may be printed by any compliant tor-fw-helper.
  25. 2.2 Output format stability
  26. The above SUCCESS and FAILURE messages are the only stable output formats
  27. provided by this specification. tor-fw-helper-spec compliant implementations
  28. must return SUCCESS or FAILURE as defined above.
  29. 3. Security Concerns
  30. It is probably best to hand configure port forwarding and in the process, we
  31. suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing
  32. to users and so we support automatic, non-authenticated NAT port mapping
  33. protocols with compliant tor-fw-helper applications.
  34. NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks
  35. to deal with the shortcomings of user education about TCP/IP, IPv4 shortages,
  36. and of course, NAT devices that suffer from horrible user interface design.
  37. [0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
  38. [1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play