tor 部份常用选项

[twfcc]

最近由於封网加强，有时候动网通自由门等临时失效，作为破网友军tor
就派上用场来这下载新版, 这提供一部份torrc 设定, 来自Linux的tor v0.2.1.20，windows同样有效

UseBridges 0|1
              When set, Tor will fetch descriptors for each bridge  listed  in
              the  "Bridge"  config  lines, and use these relays as both entry
              guards and directory guards. (Default: 0)
这用来开关网桥, 1 是用网桥，0 不用, 在 torrc 加入 UseBridges 1

Bridge IP:ORPort [fingerprint]
              When set along with UseBridges, instructs Tor to use  the  relay
              at  "IP:ORPort"  as a "bridge" relaying into the Tor network. If
              "fingerprint"  is  provided  (using  the  same  format  as   for
              DirServer),  we will verify that the relay running at that loca-
              tion has the right fingerprint. We also use fingerprint to  look
              up  the  bridge descriptor at the bridge authority, if it's pro-
              vided and if UpdateBridgesFromAuthority is set too.
加入网桥的格式

Bridge xxx.xxx.xxx.xxx:端口 , xxx.xxx.xxx.xxx是网桥IP, ex
Bridge 123.123.456.8:3128


ExcludeNodes node,node,...
              A  list  of  identity fingerprints, nicknames, country codes and
              address patterns of nodes to never use when building a  circuit.
              (Example:  ExcludeNodes SlowServer, $ABCDEFFFFFFFFFFFFFFF, {cc},
              255.254.0.0/8)

用来排除节点，如中国，香港，澳门等, ex
ExcludeNodes {CN},{HK},{MO}
GeoIPFile filename
         A  filename  containing  GeoIP  data,  for use with BridgeRecor-
         dUsageByCountry.
使用排除节点的档案, ex
GeoIPFile /etc/tor/geoip   , 就會看到TOR啟動時會出現 Prasing Geoip file...
geoip 在这里下载
http://ip-to-country.webhosting.info/downloads/ip-to-country.csv.zip , 下载回来要转换格式, 为了方便我写了个bash脚本做这事，因不会写批次档，请网友改写
#! /bin/bash
# get tor geoip file

url="http://ip-to-country.webhosting.info/downloads/ip-to-country.csv.zip"
geoipfile=${url##*/}
csv=${geoipfile%.*}
if wget -q "$url"
    then
       ret=0
       unzip -q "$geoipfile"
       cut -d, -f1-3 < "$csv" | sed 's/"//g' > geoip
    else
       ret=5
fi
if [ -f "$geoipfile" ] && [ -f "$csv" ]
    then
       rm -f "$geoipfile" "$csv"
fi
if [ $ret -eq 0 ]
    then
      echo -e "geoip is created, use: sudo mv geoip /etc/tor/
               or mv geoip $HOME/.vidalia/\n"
    else
      echo "Failed to create geoip file."
fi
exit $ret

ExcludeExitNodes node,node,...
              A list of identity fingerprints, nicknames,  country  codes  and
              address  patterns  of  nodes  to  never use when picking an exit
              node.  Note that any node listed in  ExcludeNodes  is  automati-
              cally considered to be part of this list.
EntryNodes node,node,...
              A  list  of  identity fingerprints, nicknames, country codes and
              address patterns of nodes to  use  for  the  first  hop  in  the
              circuit.  These are treated only as preferences unless StrictEn-
              tryNodes (see below) is also set.
ExitNodes node,node,...
              A list of identity fingerprints, nicknames,  country  codes  and
              address  patterns  of  nodes to use for the last hop in the cir-
              cuit.  These are treated only as preferences unless StrictExitN-
              odes (see below) is also set.
都是用来设定出口入口排除节点的选项，格式和上面一样，要用上 geoip file

StrictEntryNodes 0|1
              If  1,  Tor  will  never  use  any nodes besides those listed in
              "EntryNodes" for the first hop of a circuit.


       StrictExitNodes 0|1
              If 1, Tor will never use  any  nodes  besides  those  listed  in
              "ExitNodes" for the last hop of a circuit.
这两个是控制出入口节点开关

UpdateBridgesFromAuthority 0|1
              When  set  (along with UseBridges), Tor will try to fetch bridge
              descriptors from the configured bridge authorities  when  feasi-
              ble.  It  will  fall  back  to a direct request if the authority
              responds with a 404. (Default: 0)
这个用来更新网桥的资讯

DNSPort PORT
              If  non-zero,  Tor listens for UDP DNS requests on this port and
              resolves them anonymously.  (Default: 0).


       DNSListenAddress IP[:PORT]
              Bind to this address to listen for DNS  connections.   (Default:
              127.0.0.1).


       ClientDNSRejectInternalAddresses 0|1
              If  true,  Tor  does  not  believe any anonymously retrieved DNS
              answer that tells it that an address  resolves  to  an  internal
              address  (like  127.0.0.1 or 192.168.0.1).  This option prevents
              certain browser-based attacks; don't turn it off unless you know
              what you're doing.  (Default: 1)
这三个用来设定DNS server, 但我沒用過

HTTPProxy host[:port]
              Tor will make all its directory requests through this  host:port
              (or  host:80  if  port is not specified), rather than connecting
              directly to any directory servers.
HTTPProxyAuthenticator username:password
              If defined, Tor will use this username:password for  Basic  HTTP
              proxy authentication, as in RFC 2617. This is currently the only
              form of HTTP proxy authentication that Tor supports;  feel  free
              to submit a patch if you want it to support others.
HTTPSProxy host[:port]
              Tor  will  make  all  its  OR  (SSL)  connections  through  this
              host:port (or host:443 if port is not specified), via HTTP  CON-
              NECT  rather  than connecting directly to servers.  You may want
              to set FascistFirewall to restrict the set of  ports  you  might
              try to connect to, if your HTTPS proxy only allows connecting to
              certain ports.


       HTTPSProxyAuthenticator username:password
              If defined, Tor will use this username:password for Basic  HTTPS
              proxy authentication, as in RFC 2617. This is currently the only
              form of HTTPS proxy authentication that Tor supports; feel  free
              to submit a patch if you want it to support others.
这几项是用代理连接TOR网路，我最近没用网桥，改用 https 代理, ex
HTTPSProxy 192.168.0.5:80 , 我用公共的代理, HTTPSProxyAuthenticator
这个就不需要

以上希望对网友有点用，如有错误，请指出，因小弟不是TOR专家,此外希望网友别公开网桥地址，因为流量太多指向一个入口，会给分释出来，这桥就封了，tor官方给的网桥每个人不一定相同，就是避免过多流量, 取得网桥可用gmail发给bridges@torproject.org 通常一两分钟内可取得网桥，或者用在线加密代理，其它翻墙工具登录 bridges.torproject.org就可以

[逝者如斯夫斯基]

你也是LINUX系统啊？我在LINUX系统里面还不太会用TOR

[逝者如斯夫斯基]

LINUX下面排除节点很麻烦，你讲的不太清楚

[宗师]

因为tor是开源的，中共封锁起来也难也容易。
国内网桥就是监控谁在使用的一个证明。
敏感人士就不要用了。

[twfcc]

你也是LINUX系统啊？我在LINUX系统里面还不太会用TOR

我的Ubuntu Box 沒有vidalia, 或者你可看一下我的 torrc
~$ sed '/^#/d' /etc/tor/torrc


SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
ClientOnly 0 #只作客戶
MaxCircuitDirtiness 450
UpdateBridgesFromAuthority 1
ExcludeNodes {CN},{HK},{MO}  #這個是排除中國,香港,澳門的節點
GeoIPFile /etc/tor/geoip  #這個是我存放 geoip 的地方
httpsproxy 208.XXX.XX.34:80 # 這個是我的https 代理

如果是Win32, 把geoip 檔案放到和 torrc同一文件夾, 改為
GeoIPFile .\geoip

在linux 下可用 tail -f /var/log/tor/log 監視訊息, 這是我現在的訊息
~$ tail -f /var/log/tor/log
Jan 01 12:15:29.440 [notice] Bootstrapped 100%: Done.
Jan 01 12:15:47.328 [notice] Interrupt: exiting cleanly.
Jan 01 12:15:49.378 [notice] Tor 0.2.1.20 opening log file.
Jan 01 12:15:49.383 [notice] Parsing GEOIP file.
Jan 01 12:15:51.447 [notice] We now have enough directory information to build circuits.
Jan 01 12:15:51.447 [notice] Bootstrapped 80%: Connecting to the Tor network.
Jan 01 12:15:51.720 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Jan 01 12:15:55.566 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Jan 01 12:15:58.506 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 01 12:15:58.506 [notice] Bootstrapped 100%: Done.
Jan 01 12:16:15.000 [notice] Our directory information is no longer up-to-date enough to build circuits: We have only 128/1448 usable descriptors.
Jan 01 12:16:15.000 [notice] I learned some more directory information, but not enough to build a circuit: We have only 128/1448 usable descriptors.
Jan 01 12:16:17.258 [notice] I learned some more directory information, but not enough to build a circuit: We have only 224/1448 usable descriptors.
Jan 01 12:16:21.176 [notice] I learned some more directory information, but not enough to build a circuit: We have only 320/1448 usable descriptors.
Jan 01 12:16:21.288 [notice] We now have enough directory information to build circuits.
Jan 01 12:20:56.617 [notice] Received reload signal (hup). Reloading config and resetting internal state.

~$ tail -f /var/log/tor/log
Jan 01 12:20:56.619 [notice] Tor 0.2.1.20 opening new log file.

Ubuntu 的tor 我是開機啟動的

[twfcc]

因为tor是开源的，中共封锁起来也难也容易。
国内网桥就是监控谁在使用的一个证明。
敏感人士就不要用了。

我的tor 從沒被封鎖過,網橋隱密性很高,只要大家不要像Twitter有些推友一樣,天天
公佈網橋地址,以為會用網橋就是高手,這樣橋不會同一時間大量流量從那網橋進入,就不會那麼容易分釋出來那是網橋,中港澳門網橋自己可查一下橋的地址,就可
避免了,
#! /usr/bin/perl
# geo info of given ip, public domain
# usage: geoip [given ip]
use strict;
use warnings;
use LWP::Simple;
use File::Basename;

my $name = basename($0);
my $usage = "Usage:\t $name ip";
my $ip = $ARGV[0] || die "$usage\n";
my $url = "http://www.geody.com/geoip.php?ip=${ip}";
my $search = get($url) or die "Could not open $url: $!\n";
my @search = split /\n/, $search;
my @city = grep /^IP:/, @search;
my $city = join " ", @city;
$city=~ s/<[^>]+>//g;

print "$city\n";

這perl 腳本可幫助找出IP所在地,我之前已發過
安全性方面我一向認為open source 比 close source 更安全,代碼千百人研讀過,至
少木馬這個情形不會有,軟件自己的bug或不安全性設計更容易發現, 你怎可肯定任可破網軟件沒有被破解監視?GFW不會告訴你的,

[逝者如斯夫斯基]

以前以为linux里面没有vidalia，所以我觉得用起来不方便。
刚才我搜索了一下，发现可以安装。
输入命令 sudo apt-get install vidalia就可以安装了。
还有一个torK，也是图形界面，排除节点相当方便。
既然LINUX下面有图形界面，用起来跟WINDOWS一样了。
现在装的是ubuntu 9.10。

[twfcc]

是和Windows一样的vidalia，不过我一向不用，在windows也是即接改torrc，排除节点我一定用geoip档，那个下载的URL就是 TOR用的geoip档，我自己会一星期左右更新一次,
这样比较更新得快，如果有更精细的，也可改成TOR的格式使用，我不知TOR内里有没更新 geoip file

[bzxdfg]

是和Windows一样的vidalia，不过我一向不用，在windows也是即接改torrc，排除节点我一定用geoip档，那个下载的URL就是 TOR用的geoip档，我自己会一星期左右更新一次,
这样比较更新得快，如果有更精细的，也可改成TOR的格式使用，我不知TOR内里有没更新 geoip file

楼主这么喜欢更新？？geoip挡官方一个月也才更新一次

[twfcc]

很多时候比较新旧档是不同的，这我也是用corntab 完成的，不费甚麽事