While doing some software development recently I wanted to be certain that the program was only making outbound connections over Tor and not leaking in unexpected ways, eg DNS. Google mostly failed me, so I rolled my own.
Cutting to the chase, here’s the solution I came up with for Ubuntu:
sudo ufw reset
sudo ufw allow out 9001/tcp
sudo ufw allow out 9030/tcp
sudo ufw deny out 1:65535/tcp
sudo ufw deny out 1:65535/udp
sudo ufw enable
Save this to ufw_onlytor.sh. Run it, and all tcp/udp outbound connections will be blocked except 9001 and 9030, which are standard Tor ports. To disable, run sudo ufw disable. If you have an existing ufw firewall setup, you should back it up first.
- Tor also uses ports 80 and 443. I disabled these because they are common “leakage” ports. It might take longer for your Tor node to find peers at startup when these ports are not available.
- Your client connection to Tor’s socks proxy normally takes place over localhost:9050, and is unaffected by these firewall rules.