[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ExitPolicy: ports 1024-65535 needed?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: ExitPolicy: ports 1024-65535 needed?
From: Nato Welch <nate@xxxxxxxxx>
Date: Sat, 18 Dec 2004 00:23:08 -0800
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sat, 18 Dec 2004 03:23:49 -0500
In-reply-to: <20041217235646.V2564@moria.mit.edu>
References: <200412180446.iBI4kFwf021464@mail.nullify.org> <20041217235646.V2564@moria.mit.edu>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (X11/20041124)

Alright, I've got some questions. I've been reading, and I may not have all this down right, but I'll dive in.

From my understanding, conencting tor clients get to pick their routes through the network. Suppose they were to pick an exit node whose exit policy doesn't support the port they want to connect to. Do they hear about it? How easy would it be for them to pick another exit node? A nice feature would be for users to be able to choose their level of exposure (web only, BT and smtp if they feel ok handling complaints, etc). What implications would this have on the anonymity and security of the network if this were the case?

I would imagine that even users with completely blocked exit policies (middleman nodes?) would be helpful contributors.

--
Nato Welch
nate@xxxxxxxxx

Roger Dingledine wrote:

On Fri, Dec 17, 2004 at 10:46:13PM -0600, Keith Ray wrote:

After recently setting up a Tor router, I was wondering about the necessity
of allowing all high range ports.  Is this necessary for return packets to
be allowed back through the network?  Example:
 client:1024 -> server:80
 server:80   -> client:1024
If all I have is: ExitPolicy accept *:80, reject *:*

Will this block the first packet, the second packet, both, or neither?

Exit policies work at the TCP level. They let your server decide which
addresses and ports for outgoing connections will be allowed.

So if you accept *:80 and reject the rest, then outgoing connections
to anywhere on port 80 will be permitted, and outgoing connections on
other ports will be denied.

Exit policies don't think on a per-packet level. They think on a per
TCP stream level. Indeed, Tor also works on a per TCP stream level. We
don't transport packets, we transport streams.

Does that make more sense? You could switch to the exit policy you
indicated if you want, and it would work fine; but of course, we prefer
to have more nodes that allow more flexible exiting.

--Roger

Follow-Ups:
- RE: ExitPolicy: ports 1024-65535 needed?
  - From: Keith Ray

References:
- ExitPolicy: ports 1024-65535 needed?
  - From: Keith Ray
- Re: ExitPolicy: ports 1024-65535 needed?
  - From: Roger Dingledine

Prev by Author: Re: Error in the Java Standard Library while using Tor sock proxy
Next by Author: Re: Reproducible crash with tor0.0.9rc6-win32 and https
Previous by thread: Re: ExitPolicy: ports 1024-65535 needed?
Next by thread: RE: ExitPolicy: ports 1024-65535 needed?
Index(es):
- Author
- Thread