[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ExitPolicy: ports 1024-65535 needed?

Alright, I've got some questions. I've been reading, and I may not have all this down right, but I'll dive in.

From my understanding, conencting tor clients get to pick their routes through the network. Suppose they were to pick an exit node whose exit policy doesn't support the port they want to connect to. Do they hear about it? How easy would it be for them to pick another exit node? A nice feature would be for users to be able to choose their level of exposure (web only, BT and smtp if they feel ok handling complaints, etc). What implications would this have on the anonymity and security of the network if this were the case?

I would imagine that even users with completely blocked exit policies (middleman nodes?) would be helpful contributors.

Nato Welch

Roger Dingledine wrote:
On Fri, Dec 17, 2004 at 10:46:13PM -0600, Keith Ray wrote:

After recently setting up a Tor router, I was wondering about the necessity
of allowing all high range ports.  Is this necessary for return packets to
be allowed back through the network?  Example:

 client:1024 -> server:80
 server:80   -> client:1024

If all I have is:
ExitPolicy accept *:80, reject *:*

Will this block the first packet, the second packet, both, or neither?

Exit policies work at the TCP level. They let your server decide which
addresses and ports for outgoing connections will be allowed.

So if you accept *:80 and reject the rest, then outgoing connections
to anywhere on port 80 will be permitted, and outgoing connections on
other ports will be denied.

Exit policies don't think on a per-packet level. They think on a per
TCP stream level. Indeed, Tor also works on a per TCP stream level. We
don't transport packets, we transport streams.

Does that make more sense? You could switch to the exit policy you
indicated if you want, and it would work fine; but of course, we prefer
to have more nodes that allow more flexible exiting.