just got back home, sitting here looking at these emails about this and i thought i should say that i've run a server for a little while on a machine with peerguardian. at the time i was using tor intermittently for browsing and found myself getting 'could not contact server' way more often than i ever did from just the bugs in the tor network... and i think you are right, it would cause some serious problems... cos right there sitting at the machine i was getting network timeouts, i imagine if anyone had been trying to exit from my node they would have been very frustrated. but on the other hand, i'd only permitted irc and silc traffic to exit so probably didn't cause a big problem... but for some reason ev1's entire ip range is blocked by the 'spyware/spam' blocking system on peer guardian i believe there is a number of irc nodes on ev1 (everyone's internet, as it's known) there's probably not much that can be done to stop people doing it i guess, but perhaps it should be mentioned prominently somewhere on the tor setup docs a mention of the problems that ip blacklists on a server machine or at the edge of the intranet it's on. i wouldn't be surprised if more than a few tor nodes are on ip's in a blacklisted range too, which would cause problems with setting up circuits too. Joseph Lorenzo Hall wrote: > On 2/19/06, Roger Dingledine <arma@xxxxxxx> wrote: >> On Sun, Feb 19, 2006 at 04:28:33PM -0500, Michael Holstein wrote: >>> I actually block access to groups.google.com and groups.l.google.com by >>> putting them as 127.0.0.2 in /etc/hosts -- but I noticed that TOR is >>> smart enough to notice that the address will resolve to an IP prohibited >>> by the exitpolicy, and not even try. >> Right now you're degrading service for other Tor users that try to go to >> groups.google.com, because you trick them into thinking that it resolves >> to something else. Also (and you'll perhaps be more motivated by this), if >> the user resolves the address into an IP first, you're not blocking that. >> >> The better answer is to change your exit policy to reflect the addresses >> and ports that aren't reachable from your server. Then clients will >> learn it from your descriptor and not even try to exit from you. > > This can be done by essentially listing the IP addresses for > groups.google.com in the torrc exit policy section, right? Would > using dig on groups.google.com be sufficient to block the IP addresses > associated with that domain name? I guess what I'm wondering is this: > is there a way to learn all the IP addresses associated with a domain > name using a tool like dig? Or is it sufficiently more complicated > than that? > > -- > Joseph Lorenzo Hall > <http://josephhall.org/>
Attachment:
signature.asc
Description: OpenPGP digital signature