torproject/torspec
1
0
Fork 0
mirror of https://github.com/torproject/torspec.git synced 2024-12-12 12:46:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
487dd9d0d2
torspec/tor-fw-helper-spec.txt
George Kadianakis 43c37b1113 Make tor-fw-helper port-purpose-agnostic.
2012-06-11 19:53:42 +03:00

70 lines
2.6 KiB
Plaintext
Raw Blame History

Tor's (little) Firewall Helper specification
Jacob Appelbaum
0. Preface
This document describes issues faced by Tor users who are behind NAT devices
and wish to share their resources with the rest of the Tor network. It also
explains a possible solution for some NAT devices.
1. Overview
Tor users often wish to relay traffic for the Tor network and their upstream
firewall thwarts their attempted generosity. Automatic port forwarding
configuration for many consumer NAT devices is often available with two common
protocols NAT-PMP[0] and UPnP[1].
2. Implementation
tor-fw-helper is a program that implements basic port forwarding requests; it
may be used alone or called from Tor itself.
2.1 Output format
2.1.1. Motivation
tor-fw-helper should be able to signal to tor whether its actions
succeeded so that tor can act accordingly. For this reason it's
important to standarize the output format of tor-fw-helper.
tor-fw-helper outputs signalling commands to stdout, and debugging
messages to stderr. This means that a program that launches
tor-fw-helper only needs to monitor stdout to learn its status.
2.1.2. TCP forwarding output
When tor-fw-helper completes a TCP forwarding action, it prints the
following message to standard output:
tor-fw-helper tcp-forwarding <external port> <internal port> <status> [<message>]
where,
<external port>, is the TCP port in the external side of the NAT
device that was forwarded.
<internal port>, is the TCP port in the internal side of the NAT
device that accepts forwarded traffic.
<status>, is either "SUCCESS" or "FAIL".
<message>, is an optional supplementary message that can include
multiple words.
For example, upon successfully using NAT-PMP to forward connections from
port '4200' to port '4333', tor-fw-helper would output in stdout:
tor-fw-helper tcp-forwarding 4200 4333 SUCCESS NAT-PMP succeded
3. Security Concerns
It is probably best to hand configure port forwarding and in the process, we
suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing
to users and so we support automatic, non-authenticated NAT port mapping
protocols with compliant tor-fw-helper applications.
NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks
to deal with the shortcomings of user education about TCP/IP, IPv4 shortages,
and of course, NAT devices that suffer from horrible user interface design.
[0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
[1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play
Reference in New Issue View Git Blame Copy Permalink