Hello.


I checked with the following nmap-command what port are open on the GW/firewall:


# nmap domain.name

PORT STATE SERVICE
23/tcp open telnet


My idea was, that TOR requires much more open ports.... Or do I miss something?



Thank's a lot for additional help!

John

is it even running??
tor normally runs on port 9050...but this is normally on the localhost rather then a router/gateway.
the idea is that you will forward traffic to localhost:9050 and this in turn connects out to tor hosts:443

Thank's for the promt reply. Good question! I just started/booted the pc from the Icognito LiveCD and connected a website and - yes that site is shown in the www browser, and the connection is slow.


In TorK -> TorNetwork -> Connections the following connections are displayed:

Source Host/Port
-> www.ibm.com:443
-> stats.surfaid.ihost.com:80
-> www.ibm.com:80
-> data.coremetrics.com:80
-> www.ibm.com:80



Thank's a lot for additional help/informations!


John

yerp - it runs on the local host rather then router/gateway.

and yes, tor connections are slower because your traffic is going to be routed via a number of hosts over https port

bash: lsof: command not found

What does that mean for me?

Thank you!

John

basically lsof just to show the port tor is running on on your local machine.

localmachine listens on 9050.
say for example my company had blocked outgoing connections to msn port 1863, i could configure msn settings to point via a proxy on port 9050 of localhost.

so my outgoing msn connections would work like this
this is why it is slower...now, if you have configured yourself to be a node, then you would have to open ports on your router/gateway and map to your local machine. if you havent done that, tor will still work, but you cant be used as a node. that is other tor users cant use your machine as a gateway.

Thank's a lot for the clrifications. I need to become first more familiar with Icognito and TOR before I am going to tweak it :-)



In TorK -> Tor Log there are somestrange log entries:

Time---------------->Severity---------->Summary
2009-12-17 17:10--->Tork------------->(1 of 1) Are you sure your privacy proxy is running?
2009-12-17 17:10--->WARN------------->(1 of 1) Controller gave us config lines that didn't validate: Unkfnow option '_ReloadTorrrc0
2009-12-17 17:10--->WARN------------->(1 of 1) Controller gave us config lines that didn't validate: Must set TunnelDirConns if Prefer
2009-12-17 17:10--->WARN------------->(1 of 1) Closing no-longer-configured OR listener on 0.0.0.0:9001
2009-12-17 17:10--->NOTICE------------->(1 of 1) Closing no-longer-configured Directory listener on 0.0.0.0:9030
2009-12-17 17:10--->NOTICE------------->(1 of 1) Closing old OR Listener on 0.0.0.0:9001
2009-12-17 17:10--->NOTICE------------->(1 of 1) Closing old Directory Listener on 0.0.0.0:9030
2009-12-17 17:10--->TorK------------->(1 of 1) Your Broadband Router My Not Be Plug 'n Playable!
2009-12-17 17:10--->TorK------------->(1 of 1) Your Traffic CAN Be Eavesdropped!


Why all those messages? Because only TCP port 23 is open? I just booted my PC from the Icognito LiveCD and hoped to be be protected :-(


Thank's a lot for any additional informations!

John

You can use torify
see man torify

There's a bit of confusion here. I'll cover them one by one:

Sure, Tor must be able to communicate with the Tor network, so outgoing connections to these servers must be allowed. TorStatus allows you to see which ports people use on their routers (ORPort) and directories (DirPort). But the key thing to understand is that we're talking about outgoing connections -- you can block all incomming connections (i.e. no port is open) and Tor will still work (thanks to NAT) if the putgoing connections are not blocker by the firewall.

It should be noted that on most networks, outgoing connections are allowed on all ports. Unless you're on a locked-down corporate network or have locked it down yourself you're unlikely to get problems with Tor this way.


If you want maximum anonymity, don't "tweak" Tor -- anything that makes you client behave differently than others will make you easier to distinguish from the rest.


There's nothing very weird in that log. If you're worried about the "Your Traffic CAN Be Eavesdropped!" thing there's not much to be done about it except using encryption whenever possible. It's a basic fact of how Tor works that everything you send through it will be readable by the exit node (unless it is encrypted).

This is not necessarcy in Incognito since all connections are transparently sent through Tor.

Thank's a lot for the clarifications :-) But now I do have an addtional question:

On TorStatus the ORPorts and DirPorts of the different Tor routers are shown.
Does that mean, if my server circuit does consist on abc-server(ORPort 443/DirPort9030) and def-server(ORPort 9001/DirPort9030)and ghi-server(ORPort 442/DirPort9030), my firewall/gateway should allow outgoing tcp connections to at least these 6 tcp ports?



Thank's a lot for any additional clarification!

John


PS
I do understand, that it would be better to allow outgoing connections to/on all tcp-ports :-)

For every router you want to use as the first hop (or directory) you need the respective ORPort:s (or DirPort) open for outgoing connections -- all subsequent hops in the circuits will be done by the first hop router so your computer doesn't do that connection. As such, if you restrict which ports can be directly connected to from your computer you restrict the number of choices for the first hop in your circuit (and directory servers), which hurts your anonymity proportionally to the chunk of the network that's unreachable. Performance might also be hurt to some degree unless you add "reachableaddresses *:443 *:9001 ..." for each open port in your torrc, thus telling Tor which ports can be used (otherwise it will try to use unreachable nodes and it takes some time for it to detect that they cannot be used).

The way I see it, outbound port filtering is basically useless and certainly shouldn't be considered as a security measure. So unless you don't have control over your firewall (i.e. if you're on a locked-down coproprate network or something) I recommend you do allow all outbound traffic.