diff options
| author | Nick Mathewson <nickm@torproject.org> | 2020-07-27 09:56:29 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2020-07-27 09:56:29 -0400 |
| commit | a872fc67b425470d0b0a09790dd6a376e4b0515a (patch) | |
| tree | 44304ac36ab12c2042a0e4bc80ea46cb67522c67 /attic | |
| parent | 77ecc21b1265697a33617bc4c64f6748454913d3 (diff) | |
| download | torspec-a872fc67b425470d0b0a09790dd6a376e4b0515a.tar.gz torspec-a872fc67b425470d0b0a09790dd6a376e4b0515a.zip | |
Move tor-fw-helper-spec.txt to attic. This feature is no longer supported.
Diffstat (limited to 'attic')
| -rw-r--r-- | attic/tor-fw-helper-spec.txt | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/attic/tor-fw-helper-spec.txt b/attic/tor-fw-helper-spec.txt new file mode 100644 index 0000000..f842953 --- /dev/null +++ b/attic/tor-fw-helper-spec.txt @@ -0,0 +1,69 @@ + + Tor's (little) Firewall Helper specification + Jacob Appelbaum + +0. Preface + + This document describes issues faced by Tor users who are behind NAT devices + and wish to share their resources with the rest of the Tor network. It also + explains a possible solution for some NAT devices. + +1. Overview + + Tor users often wish to relay traffic for the Tor network and their upstream + firewall thwarts their attempted generosity. Automatic port forwarding + configuration for many consumer NAT devices is often available with two common + protocols NAT-PMP[0] and UPnP[1]. + +2. Implementation + + tor-fw-helper is a program that implements basic port forwarding requests; it + may be used alone or called from Tor itself. + +2.1. Output format + +2.1.1. Motivation + + tor-fw-helper should be able to signal to tor whether its actions + succeeded so that tor can act accordingly. For this reason it's + important to standarize the output format of tor-fw-helper. + + tor-fw-helper outputs signalling commands to stdout, and debugging + messages to stderr. This means that a program that launches + tor-fw-helper only needs to monitor stdout to learn its status. + +2.1.2. TCP forwarding output + + When tor-fw-helper completes a TCP forwarding action, it prints the + following message to standard output: + + tor-fw-helper tcp-forwarding <external port> <internal port> <status> [<message>] + + where, + + <external port>, is the TCP port in the external side of the NAT + device that was forwarded. + <internal port>, is the TCP port in the internal side of the NAT + device that accepts forwarded traffic. + <status>, is either "SUCCESS" or "FAIL". + <message>, is an optional supplementary message that can include + multiple words. + + For example, upon successfully using NAT-PMP to forward connections from + port '4200' to port '4333', tor-fw-helper would output in stdout: + + tor-fw-helper tcp-forwarding 4200 4333 SUCCESS NAT-PMP succeded + +3. Security Concerns + + It is probably best to hand configure port forwarding and in the process, we + suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing + to users and so we support automatic, non-authenticated NAT port mapping + protocols with compliant tor-fw-helper applications. + + NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks + to deal with the shortcomings of user education about TCP/IP, IPv4 shortages, + and of course, NAT devices that suffer from horrible user interface design. + +[0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol +[1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play |