[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Comcast blocks ALL traffic with tor relays - probably firewall configuration; further tests

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Comcast blocks ALL traffic with tor relays - probably firewall configuration; further tests
From: xmrk2 via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Jun 2023 17:03:50 +0000
Cc: xmrk2 <xmrk2@xxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 13 Jun 2023 14:31:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1686681108; bh=xf5cWdzJQ9Mi94juP03w/J8AkY03aw6pl4IG3rHM6Pg=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=0R3lbVwiCuMh+uFc9m5KzeBE1xbyWcY/7JzMbcCCIS505Tg3s7ocIg0IXtXXDkYM6 mir5Pj+PopdkcyRDIhAOw2xxGOik/bktI85C5npiBf91xLIjCyj8qPH1ysH+84ZEto +A82VMG9vURi0JG9HrTAeTbfuWKcZoqYMoC7JYj3m700+u0Zk73w3hzDx/d8ceE2CB fRZp2y//RRAZ07tkGKcnFKiG3wKXQJSsacnCOrzbzqHDXRLbCZwTPdGCGDpuulBKDR CBIrDp8sRpsahR0nCPaxUWqM64IQ1yB48RxTqMdHFmc0SorwZLY8ZgNR3s8vGKbUvg wyG6ipLgLyfoA==
Feedback-id: 43685724:user:proton
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Starting from the most interesting info - another Comcast customer contacted me, lets call him CCB, and the first Comcast customer I mentioned previously will be CCA. CCB claims he had to disable some settings - probably "Advanced Security" - in his Comcast router, because before doing so, nobody was able to connect to his lightning node via IPv4 (clearnet, not tor). He claims to have done this back in July or August. We tested just today, and both sides were able to successfully initiate TCP connection, no blocking here. Importantly, at the same time I was not able to connect to CCA - timeout.

Chronology of tests, all times are in CEST.

around 18:00 yesterday - I started tor relay (non-exit, ExitPolicy reject *:*)

22:09 - it appeared as online on https://metrics.torproject.org/ . Started testing connection to CCA, using "socat -dd - TCP4:<CCA_ADDR>:<CCA_lightning_port>" every 5 minutes. Connected successfully.

07:07 - last successful connection to CCA

07:12 - first unsuccessful connection to CCA - timeout; all subsequent tests with CCA end with timeout

08:10 - stopped tor relay

13:09 - 13:14 - tests with CCB - both sides can connect

17:54 - still cannot connect to CCA

18:19 - connected to CCA from my mobile phone connection (so from another IP, which is not blacklisted, so we see CCA is not offline)

18:55 - still cannot connect to CCA

So port forwarding must be correct on CCA, or I would not be able to connect.

Now I think the blocking is real, probably on by default, but Comcast customers can opt-out.

Doubts / weaknesses of tests and theory:

only tested with 2 Comcast users
not sure about CCA's firewall settings - I just assume he has "Advanced Security" active
my tests only cover connections from me to Comcast users. Not sure if this "Advanced Security" also blocks connections from Comcast users. On one hand, my lightning channel with CCA was inactive for a month or more, and CCA contacted me because of it. Lightning nodes want and try to connect to all peers they have channel with, automatically - so his node presumably tried to connect to mine. And lightning nodes publish their IP addresses, there are sites which show current IP addresses of lightning nodes, like https://1ml.com/node/030c3f19d742ca294a55c00376b3b355c3c90d61c6b6b39554dbc7ac19b141c14f (the link already points to a concrete node). My node should announce its IP addresses. So even if connection from me is blocked, he should initiate connection. Inactive channel means he was not successful, difficult to explain without blocking. OTOH, he claims he can connect to tor, so must be able to connect to at least some tor relay, not necessarily mine.

Any volunteer Comcast customers for further testing? Preferably without lightning nodes, because I'd like to test with this "Adv. security" active, and it may interfere with lightning node (or any other use-case which needs high uptime).

If my theory is correct, Comcast is slightly less evil than my very first post would suggest. Still evil, because this blocking has little to do with security - maybe blocking exit relays makes some sense, they can be misused to attacks, DDoS etc. But according to Comcast, merely running tor relay makes you a threat. And this so-called security is probably on by default (according to CCB) and "There are definitely popups all over the place telling me to turn it on". So it is probably not apparent that this setting blocks (some? most?) tor relays completely.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] Comcast blocks ALL traffic with tor relays
Next by Author: Re: [tor-relays] Comcast blocks ALL traffic with tor relays
Previous by thread: Re: [tor-relays] Comcast blocks ALL traffic with tor relays
Next by thread: [tor-relays] Do they use their own modem/router?
Index(es):
- Author
- Thread