[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Policy question

Thanks Steven. Maybe some details of what I want setup could help
clarify the issue. I have an OR running as middle man (forced to do
that due to compliants from Google groups, IRC ops etc. and strict
warning from Univ).

However I want to have my other machines (laptops, home PCs etc.) to
use this OR of mine as an exit or entry node for paranoid safety

I was hoping to do that using 
entrynodes myOR
exitnodes myOR
and then use StrictExitNodes or StrictEntryNodes option at the OP.

As you rightly pointed out ORs acting as exit nodes can't know the IP
address of the OP, but the entry node OR should be able to know the IP
address of the OP. So can I in some way config my OR to act as entry
point for my list of OPs (identified by IP addresses), but as
middleman for all the other cases?


On 7/30/05, Steven J. Murdoch <tortalk+Steven.Murdoch@xxxxxxxxxxxx> wrote:
> On Sat, Jul 30, 2005 at 09:33:15AM +0200, SK wrote:
> > Is it possible to have a base exit poilicy of "reject *.*" (middle
> > man) but at the same time allow specific IP addresses to use my
> > server as exit or entry points?
> If you mean by entry point, the first hop (OR) in the Tor network, after
> the Tor Proxy (OP) running on the client's machine, then "reject *:*"
> will not prevent them from doing so.
> Letting other people use your machine as an OP is risky because the
> Socks traffic is unencrypted so anyone watching this link could see
> what is being requested. If you still want to do this, you could open
> your SocksPort and then use firewall rules to resrict which IP
> addresses can use it. A better option is to keep SocksPort listening
> on localhost and let people SSH in and set up an encrypted tunnel.
> This lets you do password authentication as well as IP address, and
> provides a bit more security through encryption.
> Letting some people use your node as an exit node is tricky because
> Tor is designed to prevent the exit node from knowing which IP address
> made the request. What you could do is set up a password-protected
> proxy (e.g. Socks or HTTP) on the node and set your exit policy to
> allow access to it. A similar option would be to allow SSH access to
> localhost, and let people set up tunnels (provided they know the
> password).
> Hope this helps,
> Steven Murdoch.
> --
> w: http://www.cl.cam.ac.uk/users/sjm217/