¿Stream isolation?

So, we've arrived to configure our Tor daemon in a manner that will transparently "torified" all the tcp connections of our workstation using a where it "speaks" with the firewall of OpenBSD, pf.

¿Do you remember? It was here, in our steemit.

Obviously our work is so far to be considered as terminated, and in a matter or another sincerely i think that we'll work to protect privacy of Internet users all the rest of ours life, but this is another story.

Stream isolation...not a lot of people speak about isolation, human mind consider it one of the worst thing; and sincerely they have some reason, isolation is not amused. But in privacy world isolation of differents streams of data is the key, if one of the fourteen or one bad boys organization (¿are there any differences?...no i really don't think so...man i don't think...i know it).

Our good friend Tor, you're a friend of mine correct my dear, in a somehow less documented feature or better less publicized feature can isolate TCP/IP streams in four different manners; we know that a connection is characterized by:

1. source ip 2. destination ip 3. source port 4. destination port

If some of you, dear friends, don't know how work the TCP/IP protocol i can recommend to you read a little introduction in the famous wikipedia, here.

In practice tor will assign a different route in the tor network for every connection, every ip and every application depending by our configuration in the torrc file.

Hacking over torrc##

So we're going to change the configuration of our torrc to enable the over commented stream isolation.

Here you are the new version like usual located under /etc/tor/ :

User _tor RunAsDaemon 1 AvoidDiskWrites 1 Log notice syslog Log notice file /var/log/tor_log DataDirectory /var/tor ControlSocket /var/tor/control GroupWritable RelaxDirModeCheck ControlSocketsGroupWritable 1 SocksPort unix:/var/tor/socks WorldWritable ControlPort 127.0.0.1:9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1 CookieAuthFile /var/tor/control.authcookie GeoIPFile /usr/local/share/tor/geoip GeoIPv6File /usr/local/share/tor/geoip6 VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 ExcludeNodes {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE} NodeFamily {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE} StrictNodes 1 GeoIPExcludeUnknown 1 PathsNeededToBuildCircuits 0.95 DNSPort 127.0.0.1:53 IsolateDestPort #GENERIC TransPort 127.0.0.1:9040 #FIREFOX SocksPort 127.0.0.1:9900 #CHROMIUM SocksPort 127.0.0.1:9901 #TOR BROWSER SocksPort 127.0.0.1:9902 #XCHAT SocksPort 127.0.0.1:9903 IsolateDestAddr IsolateDestPort #THUNDERBIRD + TORBIRDY SocksPort 127.0.0.1:9904 IsolateDestAddr IsolateDestPort #IM SocksPort 127.0.0.1:9905 IsolateDestAddr IsolateDestPort #PKG_ADD SocksPort 127.0.0.1:9906 #KEYBASE SocksPort 127.0.0.1:9907 IsolateDestAddr IsolateDestPort #SSH SocksPort 127.0.0.1:9908 IsolateDestAddr IsolateDestPort #WGET SocksPort 127.0.0.1:9909 IsolateDestAddr IsolateDestPort #BITCOIN SocksPort 127.0.0.1:9910 #PRIVOXY SocksPort 127.0.0.1:9911 #POLIPO SocksPort 127.0.0.1:9912 #GNOME wide proxy SocksPort 127.0.0.1:9913

Ok, starting for our last configuration of torrc you are seeing a lot of addictions.

First of all you've to create /var/tor/control.authcookie :

$ doas -u _tor touch /var/tor/control.authcookie

Secondly you can appreciate that we statically declare a serie of SocksPort with differents options for every applications we're normally use in our workstation (there are the mine, you can declare others).

But what exactly are we doing?

We are considering the transparent proxy port ( TransPort 127.0.0.1:9040 ) like our last resources, in fact all application that we're not declare in the other ports will be enrouted in the tor network using that port.

The others applications that we're declaring are going to be configured statically one by one if they support proxing with socks technology or will be encapsulated for a third program, in our escario we will use torsocks , provoxy or polipo .

There's another difference, some application will use IsolateDestAddr and/or IsolateDestPort .

These two options, two of the fourth that tor are bind to us, create differentes circuits for the same application. In practice using the same app we will bind to differents ip address.

Using those tricks in only one work session we're using many different indentities to the external world. It's obvious that we're hiding very good our presence in Internet.

##Special thanks##

I want to close this post, say one simple thank you, to the Whonix crew, that have worked a lot and publicate good tutorials about streams isolations and explain it with in a good and simple way.

thank you