Commit 286be43f authored by intrigeri's avatar intrigeri

Merge branch 'feature/torify-dns' into old-master

parents e31f901d 0c28fa63
......@@ -110,7 +110,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS
requests- network activity that would otherwise be torified. In that
case you probably want to read proper documentation about such
matters, enable the Tor DNS resolver and redirect DNS requests through
it.
it,
either globally:
shorewall::rules::torify::redirect_dns_to_tor { '-': }
or for specific users:
shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: }
The $tor_dns_host and $tor_dns_port variables must be set before
these defines are setup.
Example
-------
......
......@@ -27,6 +27,12 @@ class shorewall(
case $tor_transparent_proxy_port {
'': { $tor_transparent_proxy_port = '9040' }
}
case $tor_dns_host {
'': { $tor_dns_host = '127.0.0.1' }
}
case $tor_dns_port {
'': { $tor_dns_port = '8853' }
}
if $tor_user == '' {
$tor_user = $dist_tor_user ? {
'' => 'tor',
......
define shorewall::rules::torify::redirect_dns_to_tor() {
$user = $name
$destzone = $shorewall::tor_dns_host ? {
'127.0.0.1' => '$FW',
default => 'net'
}
$tcp_rule = "redirect-tcp-dns-to-tor-user=${user}"
if !defined(Shorewall::Rule["$tcp_rule"]) {
shorewall::rule {
"$tcp_rule":
source => '$FW',
destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
proto => 'tcp',
destinationport => 'domain',
user => $user,
order => 108,
action => 'DNAT';
}
}
$udp_rule = "redirect-udp-dns-to-tor-user=${user}"
if !defined(Shorewall::Rule["$udp_rule"]) {
shorewall::rule {
"$udp_rule":
source => '$FW',
destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
proto => 'udp',
destinationport => 'domain',
user => $user,
order => 108,
action => 'DNAT';
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment