Hello.
I am trying to make a tor only allow traffic through onion services and exit nodes.
I would like to blacklist all domains first, as that is simple and does not need to be updated,
then whitelist all onions and exits.
Reason: I am hosting an onion service, but I don’t want any client traffic comming from that
machine.
I’ve played with MapAddress, VirtualAddrNetworkIPV4, AutomapHostsOnResolve,
AutomaptHostsSuffixes, but nothing seems to work as intended above.
MapAddress =127.0.0.1 does not report invalid conf, but the controller reports it is using
invalid sytax because "" be source or target.
I tricked the controller with MapAddress .=127.0.0.1, as every domain has a dot, the controller
didn’t report syntax error and this option is actually ignored.
If the above worked, then the next option would be the whitelisting:
MapAddress *.onion VIRTUAL_IP
Or possibly the AutomapHostsOnResolve 1 and AutomapHostsSuffixes .exit,.onion would
handle that part hopefully.
I did the lazy way, the antivirus way, I downloaded the IANA TLD domain list and used basic
string manipulation to make: MapAddress *.${domain} 127.0.0.1
And yes, as you may think, the list is huge that has to be on its own included conf file, and also
prone to be outdated every time a new TLD is created. But it works, in a dumb and prone to
mistakes, it works. Can this be done better? Not antivirus way of all is permitted, some known
items are blocked. I would prefer all is blocked and some items are permitted.
The real objective was to block all non .onion and .exit targets coming from a client, that the
controller reports with SOURCE_ADDR, but I didn’t find an option to MapAddress per client
or anything similar to that do manipulate addresses per client source, so that is why I started doing this for all tor traffic, which is not what I really want, but controlling targets per client.