Re: [tor-relays] Comcast blocks ALL traffic with tor relays

Hi xmrk2,

As a fellow relay operator I think it might be helpful for me to add some clarification to what you saw.

1. "comcast" the ISP didn't block or interfere with traffic to/from the relay IP. (Thanks Jason for the clarification.)

However,

2. an average "comcast user" (with ISP-provided modem and the "advanced security" on by default) will by default block *incoming* connection from relay IPs. Thus, when the said user opens a port forwarding from their public IP, you can't proactively connect to that IP:port from your relay's IP.

3. "advanced security" will not block return traffic for *outgoing* connections from the user. That is, when this user connects to a relay IP (e.g., opens a tor browser), it works just fine.

The blocking is done at the modem box, and anyone expecting incoming connection from the wider internet should obviously turn off "advanced security" on their box. I can understand the motivation for the default -- when most people set up port forwarding, they probably only want incoming connections from friends or their own phone, not the entire internet.

I do not use comcast personally so this is only based on anecdotes I heard and the thread so far; please take it as a grain of salt. Hope it helps. I'm also happy to help you and your lightning node friend privately.

Danny

On Thu, Jun 15, 2023 at 6:43 AM Livingood, Jason via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:

>As to the blog post you mention… Your statements are very generic: now you talk about "not blocking tor", but tor is not just one webpage, one server, a monolithic entity. I would appreciate details: If your customer has "advanced security" activated, can he connect to any ORPort of any tor middle relay?

Fair enough. That post was in any case from 2014 and the questions are different today (I just used it as an example that we’re not against Tor). Honestly, I’m a little surprised that someone running a Tor exit node would not be using their own cable modem and running their own router (whether open source a la Openwrt or commercial). If someone wants to do stuff like run a Tor exit node or run a MASQUE relay or whatever, I’d recommend they turn off Advanced Security and manage their routing & firewall rules themselves.

>Sorry if I am a bit repetitive, but https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?

It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.

> I don't know whether this customer has "Advanced security" turned on, I just assume he has. Do you want me to send you privately more details (my IP and this peer's IP)?

Sure – I am happy to look at that confidentially. But it could be a wide range of other things – even basic things like someone’s router timing out external connections after X minutes, etc.

> So you remind me of an old joke: who should I believe, you, or my eyes? Sorry, I choose my eyes. I am talking here about direction from my node to Comcast. It is still possible that you don't block connections from Comcast to relays, I have contradictory evidence about this point. So if your "not blocking tor" means "not preventing our customer from connecting to some tor relays", this could be true.

Alternatively, given the large size of our network, if we were in fact blocking this, then I’d expect to see this list filled with complaints and social media sites (Twitter, Reddit, etc.) filled with complaints. But what I see now is a single report. That said, I routinely look at such reports when they seem at odds with our network policies so as to be certain there’s not some misconfiguration or bug someplace.

Jason

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays