Re: How to ban many IPs?

[Roger Dingledine <arma@xxxxxxx>]

On Wed, Oct 29, 2008 at 09:52:15PM +0100, slush wrote:
> First solution is to use ExitPolicy. But there is probably limit of listed
> IP. I dont know any exact limitation, but because list of restricted IP is
> uploaded to directory servers, it cannot be a much. In blacklist are
> hundreds of restricted IPs.

Right. An exit policy with more than 50 or so lines is probably too long.

> Second solution I found is to use transparent proxy and apply filters
> inside. In this solution, directory servers and tor users dont know, that
> there are some sites filtered and they can be confused. It is also not good
> idea, because any good tor scanner (soat or my one) will mark my exit node
> as bad exit.

Right. We don't want to tell clients that it should work, and then have
them find that it doesn't.

> Is there any other solution of my problem? Any proposal? I know that
> filtering is not good idea at all, but I have only two possibility. No tor
> or filtered one. I vote for tor server with high bandwidth and some
> restrictions.

The only solution we have right now is to overblock by using broad exit
policy lines. As the extreme, you might consider rejecting port 80, if
that's what you'd be mostly filtering. There are still plenty of other
useful ports.

--Roger