[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

To: or-talk@xxxxxxxxxxxxx
Subject: Re: reconsidering default exit policy
From: Valient Gough <vgough@xxxxxxxxx>
Date: Fri, 11 Mar 2005 11:02:44 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 11 Mar 2005 05:03:20 -0500
In-reply-to: <20050310225243.GA16598@eecs.harvard.edu>
References: <20050310225243.GA16598@eecs.harvard.edu>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041207)

Geoffrey Goodell wrote:

# reject private networks (no surprises!)  My understanding is that you
# might want to eliminate the 127.0.0.0/8 line if your kernel
# short-circuits connections to local services and if you want those
# services to be available to Tor users who happen to choose your Tor
# node as an exit... someone please correct me if this is wrong.

ExitPolicy reject 0.0.0.0/255.0.0.0:*
ExitPolicy reject 127.0.0.0/255.0.0.0:*
ExitPolicy reject 10.0.0.0/255.0.0.0:*
ExitPolicy reject 172.16.0.0/255.240.0.0:*
ExitPolicy reject 192.168.0.0/255.255.0.0:*
ExitPolicy reject 169.254.0.0/255.255.0.0:*

# reject ports officially used for protocols that were never meant to be
# anonymous (e.g. email, usenet) because of the spam risk, thus reducing
# our worry that the world would associate Tor with pro-spam advocacy.

ExitPolicy reject *:25
ExitPolicy reject *:119


Speaking of usenet, several people on this list (including me) have had
problems with their server being blacklisted because someone used tor to
abuse usenet via google.  It might be nice for new tor operators if that
was blocked by default.

Also, is the list of private networks above exhaustive?  I took my list
of networks to block from my firewall list (from firehol.sourceforge.net):

# IANA Reserved IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
# Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx>
# Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
# The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8
27.0.0.0/8 31.0
.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7
76.0.0.
0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7
176.0.0.
0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"

# Private IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
# Revised by me according to RFC 3330. Explanation:
# 10.0.0.0/8       => RFC 1918: IANA Private Use
# 169.254.0.0/16   => Link Local
# 192.0.2.0/24     => Test Net
# 192.88.99.0/24   => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking
addresses
# 192.168.0.0/16   => RFC 1918: Private use
PRIVATE_IPS="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24
192.88.99.0/24
192.168.0.0/16"


regards,
Valient

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: reconsidering default exit policy
  - From: Janne Snabb
- Re: reconsidering default exit policy
  - From: Lionel Elie Mamane

References:
- reconsidering default exit policy
  - From: Geoffrey Goodell

Prev by Author: Re: Announce: ELE 0.0.1
Next by Author: Re: reconsidering default exit policy
Previous by thread: Re: reconsidering default exit policy
Next by thread: Re: reconsidering default exit policy
Index(es):
- Author
- Thread