On Fri, Dec 17, 2004 at 10:46:13PM -0600, Keith Ray wrote:
After recently setting up a Tor router, I was wondering about the necessity
of allowing all high range ports. Is this necessary for return packets to
be allowed back through the network? Example:
client:1024 -> server:80
server:80 -> client:1024
If all I have is:
ExitPolicy accept *:80, reject *:*
Will this block the first packet, the second packet, both, or neither?
Exit policies work at the TCP level. They let your server decide which
addresses and ports for outgoing connections will be allowed.
So if you accept *:80 and reject the rest, then outgoing connections
to anywhere on port 80 will be permitted, and outgoing connections on
other ports will be denied.
Exit policies don't think on a per-packet level. They think on a per
TCP stream level. Indeed, Tor also works on a per TCP stream level. We
don't transport packets, we transport streams.
Does that make more sense? You could switch to the exit policy you
indicated if you want, and it would work fine; but of course, we prefer
to have more nodes that allow more flexible exiting.