I have a Tor gateway set up, and would like to route all traffic through it. For security, different functions should use different Tor ports, so they have different virtual circuits. I''ve assigned port 9110 to be the port for email. My mail client uses SSL for email (POP3s: 995, sSMTP: 465), and I want to direct all accesses to from those ports through the Tor SOCKS port of 9110. This should mean that the mail client sends an email out 465, which is then tunneled by Shorewall (somehow) to 127.0.0.1:9110, and out the Tor network to the exit node, where it then proceeds to the mail server listening on 465. Anyone know how I would do this in Shorewall? ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
CACook@quantum-sci.com skrev den 2013-05-05 15:57:> Anyone know how I would do this in Shorewall?mangling ssl/tls is a stupid solution to tor problems, like realname is not a email -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
>> Anyone know how I would do this in Shorewall?>mangling ssl/tls is a stupid solution to tor problems, like realname is >not a emailThanks for the input. But you are just a foolish Hater when you criticize and do not offer a solution. Fact is, this was recommended on #tor because there is NO WAY TO SPECIFY A PORT# with torsocks or usewithtor! And uwt does not work for localhost. And privoxy and polipo leak. It is necessary to use different Tor ports for different functions, to separate virtual circuits for security. But there is no way to individually specify a Tor port for applications that do not have SOCKS support. So STFU and recuse yourself from the discussion because you didn''t know any of that. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
CACook@quantum-sci.com skrev den 2013-05-05 23:35:> But you are just a foolish Hater when you criticize and do not offer > a solution.well it would be my last help here so, i just commented on not mangle ssl/tls with tor, if it worked you have not asked howto here -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
On Sunday, May 05, 2013 06:57:49 AM CACook@quantum-sci.com wrote:> > I have a Tor gateway set up, and would like to route all traffic through it. For security, different functions should use different Tor ports, so they have different virtual circuits. > > I''ve assigned port 9110 to be the port for email. My mail client uses SSL for email (POP3s: 995, sSMTP: 465), and I want to direct all accesses to from those ports through the Tor SOCKS port of 9110. This should mean that the mail client sends an email out 465, which is then tunneled by Shorewall (somehow) to 127.0.0.1:9110, and out the Tor network to the exit node, where it then proceeds to the mail server listening on 465. > > Anyone know how I would do this in Shorewall?Anyone have input on this? Or has Benny Pedersen poisoned the well for me? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/7/13 5:29 PM, CACook@quantum-sci.com wrote:> On Sunday, May 05, 2013 06:57:49 AM CACook@quantum-sci.com wrote: >> >> I have a Tor gateway set up, and would like to route all traffic through it. For security, different functions should use different Tor ports, so they have different virtual circuits. >> >> I''ve assigned port 9110 to be the port for email. My mail client uses SSL for email (POP3s: 995, sSMTP: 465), and I want to direct all accesses to from those ports through the Tor SOCKS port of 9110. This should mean that the mail client sends an email out 465, which is then tunneled by Shorewall (somehow) to 127.0.0.1:9110, and out the Tor network to the exit node, where it then proceeds to the mail server listening on 465. >> >> Anyone know how I would do this in Shorewall? > > Anyone have input on this? > > Or has Benny Pedersen poisoned the well for me?If you can explain at the IP level what you want to do, I can help you. But I know nothing about TOR and I don''t have the time or inclination to go off and educate myself to the point that I can understand your description of the problem you are trying to solve. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, 8 May 2013 11:26 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Transparent Proxy On 5/7/13 5:29 PM, CACook@quantum-sci.com wrote:> On Sunday, May 05, 2013 06:57:49 AM CACook@quantum-sci.com wrote: >> >> I have a Tor gateway set up, and would like to route all traffic through it. For security, different functions should use different Tor ports, so they have different virtual circuits. >> >> I''ve assigned port 9110 to be the port for email. My mail client uses SSL for email (POP3s: 995, sSMTP: 465), and I want to direct all accesses to from those ports through the Tor SOCKS port of 9110. This should mean that the mail client sends an email out 465, which is then tunneled by Shorewall (somehow) to 127.0.0.1:9110, and out the Tor network to the exit node, where it then proceeds to the mail server listening on 465. >> >> Anyone know how I would do this in Shorewall? > > Anyone have input on this? > > Or has Benny Pedersen poisoned the well for me?Firstly, Is the mail client socks aware? If it is not then that is the issue you need to fix. If it is, then tell it to use the socks proxy on port 9110 Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn''t a magic bit of software that knows how to interface to a socks proxy. You need a socks aware email client. Using IPTables to redirect SSL traffic to a transparent proxy is a method that will guarantee to break every secure connection. If you get into the habit of accepting broken certs, then you are less, not more secure. SSL and TLS need explicit proxying, not transparent proxying by IP redirect/nat into a waiting proxy. Down this path thar be dragons. I hope this helps. T ===[Disclaimer]=== This electronic transmission, including any attachments, is confidential, may contain privileged information and should be read or retained only by the intended recipient. If you received this message in error, please delete it from your system and notify the sender immediately. Any review, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited. ===[End]=== ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 06:58:50 PM Terry Gilsenan wrote:> Firstly, Is the mail client socks aware? If it is not then that is the issue you need to fix. If it is, then tell it to use the socks proxy on port 9110 > > Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn''t a magic bit of software that knows how to interface to a socks proxy. > > You need a socks aware email client.Unfortunately it''s KMail, which is not SOCKS-aware. But KMail lets me put my mail where I want and in a form that I want (mbox) and has several features that I want. I tried to like Thunderbird, Evolution, Sylpheed, Claws, etc, but each is either too primitive or, lacks some vital feature. I am not happy with KMail, but it''s the only one I''ve found that does the vitals. Trust me, I wish there were something better. I keep looking. When I use torsocks (or usewithtor or UWT) with KMail, KMail ignores the redirect. It simply still sends on 465. How do I know? Because I block 465 and get a firewall violation. I IRCed the dev for torsocks and he says it was developed a long time ago and doesn''t work with many GUI applications. He''s the one who suggested that I do this with iptables, and he knows his stuff, Haters notwithstanding. I use POP3s and sSMTP (995 & 465) for email. I do not know what it takes to put this through a SOCKS5 port. The Tor SOCKS port I have allocated to email is 127.0.0.1:9110. I suppose this should be done like a tunnel, so that 465 and 995 accesses go through 9110 and come out the other end of the tunnel (at the Exit Node) and proceed to the mail server as 465 and 995, if you take my meaning. The closest thing this sounds like to me is NAT, but I don''t know what the fact of a SOCKS port means in this respect, and no one else I''ve asked does either. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 06:58:50 PM Terry Gilsenan wrote:> Firstly, Is the mail client socks aware? If it is not then that is the issue you need to fix. If it is, then tell it to use the socks proxy on port 9110 > > Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn''t a magic bit of software that knows how to interface to a socks proxy. > > You need a socks aware email client.Unfortunately it''s KMail, which is not SOCKS-aware. But KMail lets me put my mail where I want and in a form that I want (mbox) and has several features that I want. I tried to like Thunderbird, Evolution, Sylpheed, Claws, etc, but each is either too primitive or, lacks some vital feature. I am not happy with KMail, but it''s the only one I''ve found that does the vitals. Trust me, I wish there were something better. I keep looking. When I use torsocks (or usewithtor or UWT) with KMail, KMail ignores the redirect. It simply still sends on 465. How do I know? Because I block 465 and get a firewall violation. I IRCed the dev for torsocks and he says it was developed a long time ago and doesn''t work with many GUI applications. He''s the one who suggested that I do this with iptables, and he knows his stuff, Haters notwithstanding. I use POP3s and sSMTP (995 & 465) for email. I do not know what it takes to put this through a SOCKS5 port. The Tor SOCKS port I have allocated to email is 127.0.0.1:9110. I suppose this should be done like a tunnel, so that 465 and 995 accesses go through 9110 and come out the other end of the tunnel (at the Exit Node) and proceed to the mail server as 465 and 995, if you take my meaning. The closest thing this sounds like to me is NAT, but I don''t know what the fact of a SOCKS port means in this respect, and no one else I''ve asked does either. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
-----Original Message----- From: CACook@quantum-sci.com [mailto:CACook@quantum-sci.com] Sent: Wednesday, 8 May 2013 2:49 PM To: Shorewall Users Subject: Re: [Shorewall-users] Transparent Proxy On Tuesday, May 07, 2013 06:58:50 PM Terry Gilsenan wrote:> Firstly, Is the mail client socks aware? If it is not then that is the > issue you need to fix. If it is, then tell it to use the socks proxy > on port 9110 > > Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn''t a magic bit of software that knows how to interface to a socks proxy. > > You need a socks aware email client.Unfortunately it''s KMail, which is not SOCKS-aware. But KMail lets me put my mail where I want and in a form that I want (mbox) and has several features that I want. I tried to like Thunderbird, Evolution, Sylpheed, Claws, etc, but each is either too primitive or, lacks some vital feature. I am not happy with KMail, but it''s the only one I''ve found that does the vitals. Trust me, I wish there were something better. I keep looking. When I use torsocks (or usewithtor or UWT) with KMail, KMail ignores the redirect. It simply still sends on 465. How do I know? Because I block 465 and get a firewall violation. I IRCed the dev for torsocks and he says it was developed a long time ago and doesn''t work with many GUI applications. He''s the one who suggested that I do this with iptables, and he knows his stuff, Haters notwithstanding. I use POP3s and sSMTP (995 & 465) for email. I do not know what it takes to put this through a SOCKS5 port. The Tor SOCKS port I have allocated to email is 127.0.0.1:9110. I suppose this should be done like a tunnel, so that 465 and 995 accesses go through 9110 and come out the other end of the tunnel (at the Exit Node) and proceed to the mail server as 465 and 995, if you take my meaning. The closest thing this sounds like to me is NAT, but I don''t know what the fact of a SOCKS port means in this respect, and no one else I''ve asked does either. I tried to explain this..: SSL and to some extent TLS will object to transparent proxying. The problem is that Kmail doesn''t know how to do socks, and that is what you need to fix, either by changing to an email client that CAN to socks or by installing (writing?) a socks "shim". You could certainly use IPTables to re-direct your connections to your local socks proxy, but that doesn''t fix the problem of your email client wanting to speak POP3 or SMTP, when the socks proxy is wanting whatever connects to it to speak SOCKS. POP3 has specific commands, SMTP has specific commands, SOCKS has specific commands, POP3 commands addressed to a SOCKS proxy mean nothing to the SOCKS proxy, so a redirect at the transport later is worthless, you need the application layer taken care of, and that is outside the scope of IPTables. I simply don''t think I can explain it any better than that, Sorry. Regards, T ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. NOTE: URL removed for security purposes - contact terry.gilsenan@interoil.com for support. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ===[Disclaimer]=== This electronic transmission, including any attachments, is confidential, may contain privileged information and should be read or retained only by the intended recipient. If you received this message in error, please delete it from your system and notify the sender immediately. Any review, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited. ===[End]=== ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 8 May 2013, at 05:45, CACook@quantum-sci.com wrote:> On Tuesday, May 07, 2013 06:58:50 PM Terry Gilsenan wrote: > > Firstly, Is the mail client socks aware? If it is not then that is the issue you need to fix. If it is, then tell it to use the socks proxy on port 9110 > > > > Shorewall is an IPTables configurator, it is NOT a proxy. Shorewall isn''t a magic bit of software that knows how to interface to a socks proxy. > > > > You need a socks aware email client. > > Unfortunately it''s KMail, which is not SOCKS-aware. But KMail lets me put my mail where I want and in a form that I want (mbox) and has several features that I want. I tried to like Thunderbird, Evolution, Sylpheed, Claws, etc, but each is either too primitive or, lacks some vital feature. I am not happy with KMail, but it''s the only one I''ve found that does the vitals. Trust me, I wish there were something better. I keep looking. > > When I use torsocks (or usewithtor or UWT) with KMail, KMail ignores the redirect. It simply still sends on 465. How do I know? Because I block 465 and get a firewall violation. I IRCed the dev for torsocks and he says it was developed a long time ago and doesn''t work with many GUI applications. He''s the one who suggested that I do this with iptables, and he knows his stuff, Haters notwithstanding. > > I use POP3s and sSMTP (995 & 465) for email. I do not know what it takes to put this through a SOCKS5 port. The Tor SOCKS port I have allocated to email is 127.0.0.1:9110. I suppose this should be done like a tunnel, so that 465 and 995 accesses go through 9110 and come out the other end of the tunnel (at the Exit Node) and proceed to the mail server as 465 and 995, if you take my meaning. The closest thing this sounds like to me is NAT, but I don''t know what the fact of a SOCKS port means in this respect, and no one else I''ve asked does either. > >You might want to look at something like TransSocks, which, I understand, is intended to allow exactly this kind of tunnelling. I think you would set it up to forward over the SOCKS proxy on 9110 and listen on some other port, and then redirect application traffic to *that*. Dominic ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 10:24:10 PM Terry Gilsenan wrote:> I tried to explain this..: SSL and to some extent TLS will object to transparent proxying. > > The problem is that Kmail doesn''t know how to do socks, and that is what you need to fix, either by changing to an email client that CAN to socks or by installing (writing?) a socks "shim". > > You could certainly use IPTables to re-direct your connections to your local socks proxy, but that doesn''t fix the problem of your email client wanting to speak POP3 or SMTP, when the socks proxy is wanting whatever connects to it to speak SOCKS. > > POP3 has specific commands, SMTP has specific commands, SOCKS has specific commands, POP3 commands addressed to a SOCKS proxy mean nothing to the SOCKS proxy, so a redirect at the transport later is worthless, you need the application layer taken care of, and that is outside the scope of IPTables. > > I simply don''t think I can explain it any better than that, Sorry. > > Regards, > TThanks for your help. Your response indicates that 25 and 110 may work with the torsocks socksifier. Trouble is, then I''m transmitting all my email in the clear... through the Underground. So as email and SOCKS essentially speak incompatible protocols, the only answer is a socksified email client as you say. Well I''m open to suggestions. I don''t know of any full-featured Linux clients other than Thunderbird, Evolution, Sylpheed, or Claws. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 11:20:11 PM Dominic Benson wrote:> You might want to look at something like TransSocks, which, I understand, is intended to allow exactly this kind of tunnelling. I think you would set it up to forward over the SOCKS proxy on 9110 and listen on some other port, and then redirect application traffic to *that*. > > DominicTransSocks is very interesting: "TranSocks is a network-layer proxy that can run on a Linux router and without controlling how applications are run." http://transocks.sourceforge.net/ May well work with SSL. And they have some interesting iptables rules. I''ll sure try it, thanks. Hopefully kmail won''t ignore it. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may