[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Beginner's Questions



Thanks for getting to this amongst everything else Roger.

On 05/01/2005, at 7:19 PM, Roger Dingledine arma-at-mit.edu |or-talk| wrote:

On Fri, Dec 31, 2004 at 05:08:43PM +1100, ffi2fdq02@xxxxxxxxxxxxxx wrote:
1)  "allow local connections to port 8118 and port 9050"

     Maybe I'm missing some subtlety in the word 'local' but does this
mean incoming, outgoing, neither or both should be allowed?  As far as
I know, I haven't allowed either port incoming or outgoing and yet tor
client seems to be working.

Local means "from 127.0.0.1 to 127.0.0.1" -- some firewalls seem to block
even these sorts of connections, and people who run them don't tend to
realize they're running them, so it's sort of hard to document for. Any
suggestions on how to fix the wording?

My suggestion FWIW is "if your firewall can limit your machine's ability to connect to itself then ensure that such connection is allowed on ports 8118 and 9050." I understand the catch-22 about "people who run them..." and I think it shall remain a catch-22 unless it is to become a multi-page document in itself. Whilst I don't run one of those firewalls I'm probably close to that class of people and I/we simply have to have the initiative to search and question until we understand. Otherwise we can simply wait until technology like tor matures to the point where anyone can use it without having a clue what they're doing:)


2)  "outgoing connections... <allow> ports 80, 443, and 9001-9033"

I've allowed outgoing connections on all (only) these ports. Why
does tor still regularly make attempts at other ports. I blocked them
all and the tor client still works. Is there any advantage to allowing
these too? Is there a definable range?

I've just added this answer as
http://wiki.noreply.org/wiki/TheOnionRouter/ TorFAQ#OutboundFirewallPorts

Nice. Completely answered thank you.

Currently the 'FirewallPorts' config option doesn't support ranges, just
numbers. Is this something we should fix?

It's not something I would like to see 'fixed' at this stage. There's simply a trade off here. I don't wish to spend much time on security but I value it. Therefore I block all ports except those I *know* are being used by services I desire. Consequently it suits me to block everything else. If my need for anonymity rose then I may trade that off against this easy but overkill approach to security.


Thanks,
--Roger

No. Thank you!:)