Tor & application-firewall support

John Moser john.r.moser at
Tue Apr 24 13:03:19 UTC 2012

On 04/24/2012 08:49 AM, Paul Campbell wrote:
> There's been some discussion on this mailing list about
> application-firewalls, and I wanted to say a word about Ubuntu's
> inability to filter internet connections at the application-level.

It's doable, just not pretty.

> I work as a freelance journalist. On many occasions I recommend the use
> of Tor to sources in middle eastern and southeast Asian countries. For
> their own safety, they need an anonymous way to upload things to the
> internet and in general to communicate online.

Immediately assuming you've got the technical profile of a ZDNet columnist.

> When needing to use Tor, the source will activate the firewall
> software's user-created "Tor Profile" and then start a Tor browsing
> session. When finished browsing, the source will close Tor and change
> the firewall settings from the "Tor Profile" back to the default profile
> which in general allows all applications to connect to the internet.
> This setup ensures that no other applications "accidentally" connect to
> the internet during an active Tor session and "reveal" the source's true
> IP address.


A connection from your IP address doesn't "reveal" your source address. 
  The source address from your computer is stamped on every TOR packet: 
  it's possible to determine that you're using TOR, regardless. 
Blocking other connections unrelated to TOR won't hide what you're doing 
under TOR; and having other connections (say to your e-mail, IRC, P2P, 
non-sensitive Web sites, etc.) doesn't jeopardize the secrecy of your 
TOR connection.

Aside, has anyone considered that actively aiding a sovereign nation's 
population in accessing materials restricted from the general 
population's view is an active attack on that nation's procedurally 
declared national security, and a direct act of war?  Not defending 
tyranny, just saying:  you are committing an act of war.  If we have 
extradition treaties with these people, it's perfectly reasonable for 
you to be arrested and shipped over there; and if our government refuses 
to do so, then the logical response in kind is for them to start bombing 
our soil.

Some things are worth getting bloody for, and some things carry the 
implications but in practice those implications never pan out.  You 
probably won't get extradited and nobody is going to start lobbing nukes 
just because of people helping crack the Great Arab Firewall.  They 
could though; it's actually a reasonable response.

> Sincerely,
> Paul Campbell

More information about the Ubuntu-devel-discuss mailing list