On Sat, Jul 30, 2005 at 09:33:15AM +0200, SK wrote: > Is it possible to have a base exit poilicy of "reject *.*" (middle > man) but at the same time allow specific IP addresses to use my > server as exit or entry points? If you mean by entry point, the first hop (OR) in the Tor network, after the Tor Proxy (OP) running on the client's machine, then "reject *:*" will not prevent them from doing so. Letting other people use your machine as an OP is risky because the Socks traffic is unencrypted so anyone watching this link could see what is being requested. If you still want to do this, you could open your SocksPort and then use firewall rules to resrict which IP addresses can use it. A better option is to keep SocksPort listening on localhost and let people SSH in and set up an encrypted tunnel. This lets you do password authentication as well as IP address, and provides a bit more security through encryption. Letting some people use your node as an exit node is tricky because Tor is designed to prevent the exit node from knowing which IP address made the request. What you could do is set up a password-protected proxy (e.g. Socks or HTTP) on the node and set your exit policy to allow access to it. A similar option would be to allow SSH access to localhost, and let people set up tunnels (provided they know the password). Hope this helps, Steven Murdoch. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Attachment:
pgpg93Iy74L1E.pgp
Description: PGP signature