diff options
| author | dana koch <dsk@google.com> | 2014-02-10 21:23:51 +1100 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 23:03:25 -0400 |
| commit | f680d0fdd2e42bce109219ed78d0527d16995415 (patch) | |
| tree | 9946b436e76cba9871cb09bec4c2acb59f10c98d /doc | |
| parent | 08ef8c0958ebeb134e4f29d1738c85c0ac81e71d (diff) | |
| download | tor-f680d0fdd2e42bce109219ed78d0527d16995415.tar tor-f680d0fdd2e42bce109219ed78d0527d16995415.tar.gz | |
Educate tor on OpenBSD's use of divert-to rules with the pf firewall.
This means that tor can run without needing to communicate with ioctls
to the firewall, and therefore doesn't need to run with privileges to
open the /dev/pf device node.
A new TransProxyType is added for this purpose, "pf-divert"; if the user
specifies this TransProxyType in their torrc, then the pf device node is
never opened and the connection destination is determined with getsockname
(as per pf(4)). The default behaviour (ie., when TransProxyType is "default"
when using the pf firewall) is still to assume that pf is configured with
rdr-to rules.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tor.1.txt | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 1a5ced849..d1556a554 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1196,12 +1196,12 @@ The following options are useful only for clients (that is, if compatibility, TransListenAddress is only allowed when TransPort is just a port number.) -[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**|**ipfw**:: +[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**|**ipfw**|**pf-divert**:: TransProxyType may only be enabled when there is transparent proxy listener enabled. + - Set this to TPROXY if you wish to be able to use the TPROXY Linux module to - transparently proxy connections that are configured using the TransPort + Set this to "TPROXY" if you wish to be able to use the TPROXY Linux module + to transparently proxy connections that are configured using the TransPort option. This setting lets the listener on the TransPort accept connections for all addresses, even when the TransListenAddress is configured for an internal address. Detailed information on how to configure the TPROXY @@ -1210,8 +1210,15 @@ The following options are useful only for clients (that is, if + Set this option to "ipfw" to use the FreeBSD ipfw interface. + - Set this option to "default", or leave it unconfigured, to use regular - IPTables on Linux, or to use pf on the *BSD operating systems. + On *BSD operating systems when using pf, set this to "pf-divert" to take + advantage of +divert-to+ rules, which do not modify the packets like + +rdr-to+ rules do. Detailed information on how to configure pf to use + +divert-to+ rules can be found in the pf.conf(5) manual page. On OpenBSD, + +divert-to+ is available to use on versions greater than or equal to + OpenBSD 4.4. + + + Set this to "default", or leave it unconfigured, to use regular IPTables + on Linux, or to use pf +rdr-to+ rules on *BSD systems. + (Default: "default".) |