On Wed, 11 Aug 2010 03:05:24 -0700 Mike Perry <mikeperry@xxxxxxxxxx> wrote: > It's become clear that it is almost impossible to run an exit node > with the default exit policy in the USA, due to bittorrent DMCA abuse > spambots. I believe this means that we should try to come up with one > or more standard, reduced exit policy sets that allow use of the > majority of popular internet services without attracting bittorrent > users and associated spam. > > Using previous threads, I have an initial sketch of such a policy at: > https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment > > It includes the following ports: 20-22, 53, 79-81, 110, 143, 443, 465, > 563, 587, 706, 873, 993, 995, 1863, 5190, 5050, 5222, 5223, 8008, > 8080, 8888. > > While looking over the Vidalia settings, I just noticed that IRC is > missing from this list: 6666, 6667, 6697. > > However, IRC is also a common source of abuse and DDoS attacks, and is > often forbidden by ISP AUP. Because of this, I was thinking we should > probably define 3 or 4 levels of Exit Policy: > > 1. Low Abuse (above list, possibly minus 465, 587 and 563) > 2. Medium Abuse (above list, plus IRC) > 3. High Abuse (default exit policy) > > Now the question is, what other ports should we add or subtract from > this list? I just looked through the IANA-registration-based services file from iana-etc 2.30 (<http://sethwklein.net/iana-etc/> as installed to /etc/services on Arch Linux). Here are my recommendations: Add: * 70 (Gopher) * 504 (Citadel (a BBS; see <http://citadel.org/>)) * 553 (PIRP (see <http://cr.yp.to/proto/pirp.txt>) * 564 (9P (related to Plan 9; documented at multiple sites)) * 1649 (IANA-registered Kermit port) * 2401 (CVS pserver) * 2628 (DICT (see <http://www.dict.org/> and/or IETF RFC 2229)) * 3690 (Subversion) * 4155 (bzr version control system) * 4349 (fsportmap (related to Plan 9)) * 4691 (Monotone version control system) * 5999 (CVSup) * 6121 (SPDY) * 9418 (Git) * 11371 (HKP (âOpenPGP HTTP Keyserverâ)) Gopher and Kermit are still in use; Citadel is in use, and the protocol used on port 504 appears to support TLS. PIRP may or may not be in use, but I do not expect abuse complaints related to it. 9P is useful over the Internet, and the Plan 9 ports are unlikely to be exposed to the Internet (or accessed!) unintentionally or by technically clueless users for the foreseeable future, so they should not result in abuse complaints. CVSup can be used to upgrade FreeBSD to a -CURRENT system. The rest of the ports listed above need no further explanation. Other ports to consider: * 194 (IANA-registered IRC port) * 994 (IANA-registered IRC-SSL port) * 1080 (IANA-registered SOCKS port) * 1789 (in IANA services file, registered to DJB; described only as âhelloâ; possibly useful for testing connectivity to a soon-to-be-public server) * 5191..5193 (other AOL ports; 5190 is already listed) * 5556 (FreeCiv (turn-based game)) * 5688 (GGZ Gaming Zone (probably low-data-rate, although the protocol is probably not useful over Tor and should be checked for unwanted information disclosure)) * 6665 (in IANA services file; described only as âIRCUâ) * 6666..6673 (not listed in IANA services file, but used unofficially by the Inferno VM; overlaps with customary IRC ports; no ports in this range are listed as used by file-sharing programs) * 8074 (Gadu-Gadu) * 8990..8991 (in IANA services file; described as âwebmail HTTP(S) serviceâ) I don't expect these ports to cause much trouble for the Tor exit node (except possibly the IRC ports). Port 1080 can be used to reach BitTorrent or other rude services, but that's a little trickier for the client to set up than Tor alone, and it is less likely to result in DMCA complaints sent to the Tor exit operator (although the SOCKS server operator may complain). Robert Ransom
Attachment:
signature.asc
Description: PGP signature