[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Policy question

On Sat, Jul 30, 2005 at 09:33:15AM +0200, SK wrote:
> Is it possible to have a base exit poilicy of "reject *.*" (middle
> man) but at the same time allow specific IP addresses to use my
> server as exit or entry points?

If you mean by entry point, the first hop (OR) in the Tor network, after
the Tor Proxy (OP) running on the client's machine, then "reject *:*"
will not prevent them from doing so. 

Letting other people use your machine as an OP is risky because the
Socks traffic is unencrypted so anyone watching this link could see
what is being requested. If you still want to do this, you could open
your SocksPort and then use firewall rules to resrict which IP
addresses can use it. A better option is to keep SocksPort listening
on localhost and let people SSH in and set up an encrypted tunnel.
This lets you do password authentication as well as IP address, and
provides a bit more security through encryption.

Letting some people use your node as an exit node is tricky because
Tor is designed to prevent the exit node from knowing which IP address
made the request. What you could do is set up a password-protected
proxy (e.g. Socks or HTTP) on the node and set your exit policy to
allow access to it. A similar option would be to allow SSH access to
localhost, and let people set up tunnels (provided they know the

Hope this helps,
Steven Murdoch.

w: http://www.cl.cam.ac.uk/users/sjm217/

Attachment: pgpg93Iy74L1E.pgp
Description: PGP signature