#ExcludeNodes all that nodes as "single administration" by Five Eyes. So if you want to be sure your GPG client and your instant messenger don't put streams on the same circuit, the easiest thing to do is add the following to your torrc and point them at different SocksPorts.įILE /etc/tor/torrc torrc configuration StrictNodes 1 To see the most up-to-date list of stream isolation flags, see `man tor`. Note that some are enabled by default already and that more isolation flags does not necessarily mean more security/anonymity/privacy. If you want to do stream isolation on a single *Port option, you can add one or more of the following isolation flags to *Port options: IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams.īy default, multiple *Port lines (SocksPort, DNSPort, TransPort) will never share circuits. In all cases an exit node can make correlation between separate activities. You might not want to mix GPG traffic with the traffic of a web browser or to mix irssi circuits with the circuits of a bitcoin wallet. Root # iptables -t nat -A OUTPUT -p TCP -m owner ! -uid-owner tor -j DNAT -to-destination 127.0.0.1:9040 To enable the built-in DNS resolver, add the following lines to the /etc/tor/torrc file and restart the daemon: A downside is that it is only able to resolve DNS queries for A-records. Tor can work like a regular DNS server, and resolve the domain via the Tor network. In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example. Oct 14 14:44:44 localhost Tor: Your application (using socks5 to port 80) is giving Tor only an IP address.Īpplications that do DNS resolves themselves may leak information. Below is an example of a message for a misconfigured application (or for a webpage that stores links in form of IP addresses):
If an application is configured correctly, nothing shows in the logs. !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occurĮnable tor's relay module so it can operate as a relay/bridge/authorityĮnable use of systemd-specific libraries and features like socket activation or session trackingĮnable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)Ĭompile tor with hardening on vanilla compilers/linkers Use app-crypt/libscrypt for the scrypt algorithmĮnable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs
Support for LZMA (de)compression algorithm
It is recommended to enable per package instead of globally Use Linux capabilities library to control privilegeĪdd extra documentation (API, Javadoc, etc).
0 kommentar(er)
