# PF ruleset for Tor + Privoxy



## markbsd (Nov 5, 2013)

I've got PF running and have this in my /etc/pf.conf:


```
block in all
pass out all keep state
```

But it seems that this disables Tor. What do I need to add to /etc/pf.conf to allow Tor use?


----------



## plamaiziere (Nov 5, 2013)

markbsd said:
			
		

> I've got PF running and have this in my /etc/pf.conf:
> 
> 
> ```
> ...



I don't know but tcpdump/wireshark will be your friend to see the traffic.


----------



## cpm@ (Nov 11, 2013)

This tutorial could help to setting up PF and tor(1)() on FreeBSD. Also, you can complete the previous guide with this useful information obtained from the Tor wiki.


----------



## markbsd (Nov 11, 2013)

cpm said:
			
		

> This tutorial could help to setting up PF and tor(1)() on FreeBSD.



Thanks, @cpm. That's a very useful guide. However, I'm just looking to run Tor as a client, so only need to figure out what exceptions/rules to set in my /etc/pf.conf file to enable Tor Internet connectivity whilst PF is running. I imagine it's just a simple line or two, but I can't work it out!

I'm guessing it's fine to block all incoming, but I imagine I need some rules to allow privoxy and Tor access. Thanks, though, that tutorial is really good. Some more technically inclined FreeBSD guys here might like to use it to set[ ]up a bridge relay on one or more of their servers to help people circumvent tyrannical censorship, or just exercise their right to privacy. If I had the technical know-how I'd even be willing to run a bridge relay on this old box, but I fear I am too lay to properly employ one. I really would love to though!


----------



## markbsd (Nov 11, 2013)

Okay. I'm slowly making sense of this, but still not sure of the proper syntax and structure of the ruleset.

TOR listens on 127.0.0.1 port 9050, and Privoxy, too, runs on localhost but port 8118. We want the firewall (PF) to direct all traffic through Privoxy to TOR. Or is it, direct all traffic through TOR to Privoxy?

This requires some ruleset to pass the TCP protocol (what ports though?) through the internal (or external?) interface to the external (or internal?) interface on port 8118 (Prixovy, which proxies to TOR), or port 9050 (TOR, which proxies to Privoxy).

*confused*

/etc/pf.conf:


```
pass in on [$internal_interface] proto tcp from [$internal_interface] to [$external_interface] port [???] \
   rdr-to 127.0.0.1 port 8118
```


What and where are my internal and external interfaces?

Do I need to "alias" my interfaces?

Which ports do I allow incoming/outgoing traffic? HTTP?

Is it right to redirect to Privoxy, or should it be TOR?

Does the syntax look correct?

I think I need a basic rundown on interfaces and proxies and protocols. Not to mention, clients, gateways, servers and workstations!


----------



## markbsd (Nov 12, 2013)

@cpm, I can't respond to your PM because you have the feature disabled.


----------



## markbsd (Nov 12, 2013)

It's working! For anyone else who is having troubles, here it is:


```
[cmd]cat /etc/pf.conf > forums.freebsd.org[/cmd]

#	$FreeBSD: release/9.2.0/share/examples/pf/pf.conf 218854 2011-02-19 14:57:00Z brucec $
#	$OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.


#################################################
##	      _-------------------	       ##
##::::::::::::| Tor configuration |::::::::::::##
##	       -------------------	       ##	
#################################################

#!-----[ note ]
#
#	sockstat -4l
#	tcpdump -w /var/log/tcpdump/[file] -i $ext_if
#	tcpdump -tttt -r /var/log/tcpdump/[file_date].pcap
#
#!---------------[ eof ]

#!-----[ begin ruleset ]

### ---> defence systems initializing ---> standby for status ---> may the force be with you!
ext_if="NIC"

set skip on lo1
antispoof for $ext_if inet

### can't get the right syntax/order for this scrub option: consult manual
#scrub in on $ext_if all fragment reassemble
#scrub in all fragment reassemble no-df max-mss 1440
#scrub in all

block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### ...say NO to probes! operation: blackhole
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### ssh brute force table needs building to st0p th3 h4x0rz
#table <ssh_abuse> persist
#block in quick from <ssh_abuse>
#pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

### lockdown protocol engaged >> the fortress activated >> NSA freezone
#block in all
#pass out all keep state

### ---> system security level 1 in effect ---> deathstar defences online ---> good job, luke!

#!-----[ eof ]
```


----------

