Opened 6 years ago

Last modified 11 days ago

#3572 assigned defect

Disable Orbot transparent redirect for rfc1918 & localhost

Reported by: dmz@… Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords: RFC1918 localhost
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The iptables rules setup on orbot to redirect all traffic through tor cause problems for when I'm on my wireless on my RFC1918 network or trying to access stuff bound onto localhost (vnc, ...).

Could the transparent redirect scripts be updated to ignore RFC1918 & 127.0.0.X addresses?

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by n8fr8

Status: newneeds_review

I think we have addressed ths in 1.0.8 but i will do some more testing

comment:2 Changed 6 years ago by rransom

Resolution: invalid
Status: needs_reviewclosed

Connections to RFC-1918 private addresses are generally unsafe and should not be allowed.

comment:3 Changed 6 years ago by n8fr8

Resolution: invalid
Status: closedreopened

comment:4 Changed 6 years ago by n8fr8

Status: reopenedassigned

comment:5 Changed 6 years ago by n8fr8

THanks rransom for the guidance on this. This will not be allowed by default, but will perhaps by added as an advanced "there be dragons" feature for users to enable.

Otherwise, perhaps you shouldn't be running VNC and transproxy Tor at the same time - asking for trouble?

comment:6 Changed 6 years ago by da_peda

How about, instead of generically allowing/blocking RFC1918 addresses, allow the user to specify a list of hosts/networks to exempt, eg. the home network or a VPN gateway plus network behind it.

comment:7 Changed 11 days ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.