[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Restricted Exit Policy Port Suggestions?

On Wed, 11 Aug 2010 03:05:24 -0700
Mike Perry <mikeperry@xxxxxxxxxx> wrote:

> It's become clear that it is almost impossible to run an exit node
> with the default exit policy in the USA, due to bittorrent DMCA abuse
> spambots. I believe this means that we should try to come up with one
> or more standard, reduced exit policy sets that allow use of the
> majority of popular internet services without attracting bittorrent
> users and associated spam.
> Using previous threads, I have an initial sketch of such a policy at:
> https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
> It includes the following ports: 20-22, 53, 79-81, 110, 143, 443, 465,
> 563, 587, 706, 873, 993, 995, 1863, 5190, 5050, 5222, 5223, 8008,
> 8080, 8888.
> While looking over the Vidalia settings, I just noticed that IRC is
> missing from this list: 6666, 6667, 6697. 
> However, IRC is also a common source of abuse and DDoS attacks, and is
> often forbidden by ISP AUP. Because of this, I was thinking we should
> probably define 3 or 4 levels of Exit Policy:
> 1. Low Abuse (above list, possibly minus 465, 587 and 563)
> 2. Medium Abuse (above list, plus IRC)
> 3. High Abuse (default exit policy)
> Now the question is, what other ports should we add or subtract from
> this list?

I just looked through the IANA-registration-based services file from
iana-etc 2.30 (<http://sethwklein.net/iana-etc/> as installed
to /etc/services on Arch Linux).  Here are my recommendations:


* 70 (Gopher)
* 504 (Citadel (a BBS; see <http://citadel.org/>))
* 553 (PIRP (see <http://cr.yp.to/proto/pirp.txt>)
* 564 (9P (related to Plan 9; documented at multiple sites))
* 1649 (IANA-registered Kermit port)
* 2401 (CVS pserver)
* 2628 (DICT (see <http://www.dict.org/> and/or IETF RFC 2229))
* 3690 (Subversion)
* 4155 (bzr version control system)
* 4349 (fsportmap (related to Plan 9))
* 4691 (Monotone version control system)
* 5999 (CVSup)
* 6121 (SPDY)
* 9418 (Git)
* 11371 (HKP (âOpenPGP HTTP Keyserverâ))

Gopher and Kermit are still in use; Citadel is in use, and the protocol
used on port 504 appears to support TLS.  PIRP may or may not be in
use, but I do not expect abuse complaints related to it.  9P is useful
over the Internet, and the Plan 9 ports are unlikely to be exposed to
the Internet (or accessed!) unintentionally or by technically clueless
users for the foreseeable future, so they should not result in abuse
complaints.  CVSup can be used to upgrade FreeBSD to a -CURRENT
system.  The rest of the ports listed above need no further explanation.

Other ports to consider:

* 194 (IANA-registered IRC port)
* 994 (IANA-registered IRC-SSL port)
* 1080 (IANA-registered SOCKS port)
* 1789 (in IANA services file, registered to DJB; described only as
  âhelloâ; possibly useful for testing connectivity to a
  soon-to-be-public server)
* 5191..5193 (other AOL ports; 5190 is already listed)
* 5556 (FreeCiv (turn-based game))
* 5688 (GGZ Gaming Zone (probably low-data-rate, although the protocol
  is probably not useful over Tor and should be checked for unwanted
  information disclosure))
* 6665 (in IANA services file; described only as âIRCUâ)
* 6666..6673 (not listed in IANA services file, but used unofficially
  by the Inferno VM; overlaps with customary IRC ports; no ports in
  this range are listed as used by file-sharing programs)
* 8074 (Gadu-Gadu)
* 8990..8991 (in IANA services file; described as âwebmail HTTP(S)

I don't expect these ports to cause much trouble for the Tor exit node
(except possibly the IRC ports).  Port 1080 can be used to reach
BitTorrent or other rude services, but that's a little trickier for the
client to set up than Tor alone, and it is less likely to result in
DMCA complaints sent to the Tor exit operator (although the SOCKS
server operator may complain).

Robert Ransom

Attachment: signature.asc
Description: PGP signature