[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Disable anything but hidden services



On Sep 5, 2012, at 3:15 AM, Andreas Krey wrote:

> On Wed, 05 Sep 2012 02:15:21 +0000, Justin Aplin wrote:
> ...
>> ExitPolicy accept 127.0.0.1:*
>> ExitPolicy reject *:*
>> 
>> This will allow exiting (connecting) to the local machine (where the hidden service should be listening) on all ports, and reject all other traffic.
> 
> No, you don't need an ExitPolicy; hidden services are independent of
> the exit policies, which control non-hidden service access. That
> accept line either has unfortunate consequence (allowing acces to
> *all* local services), or may be ignored altogether.

Ahh, you're correct, I forgot that HIddenServicePort did port mappings automatically. I'm not sure the first line would have any security consequences, as 127.0.0.1 is the origin point, and would allow traffic originating from the machine to exit via the same machine, which would only happen with very strange configurations (i.e. all of the single-hop options set to true), if at all. But I do see that it is useless at best.

~Justin Aplin


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk