# reject private networks (no surprises!) My understanding is that you # might want to eliminate the 127.0.0.0/8 line if your kernel # short-circuits connections to local services and if you want those # services to be available to Tor users who happen to choose your Tor # node as an exit... someone please correct me if this is wrong.
ExitPolicy reject 0.0.0.0/255.0.0.0:* ExitPolicy reject 127.0.0.0/255.0.0.0:* ExitPolicy reject 10.0.0.0/255.0.0.0:* ExitPolicy reject 172.16.0.0/255.240.0.0:* ExitPolicy reject 192.168.0.0/255.255.0.0:* ExitPolicy reject 169.254.0.0/255.255.0.0:*
# reject ports officially used for protocols that were never meant to be # anonymous (e.g. email, usenet) because of the spam risk, thus reducing # our worry that the world would associate Tor with pro-spam advocacy.
ExitPolicy reject *:25 ExitPolicy reject *:119
Speaking of usenet, several people on this list (including me) have had problems with their server being blacklisted because someone used tor to abuse usenet via google. It might be nice for new tor operators if that was blocked by default.
Also, is the list of private networks above exhaustive? I took my list of networks to block from my firewall list (from firehol.sourceforge.net):
# IANA Reserved IPv4 address space # Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx> # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx> # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/ # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path. RESERVED_IPS="0.0.0.0/7 188.8.131.52/8 184.108.40.206/8 220.127.116.11/8 18.104.22.168/8 22.214.171.124/8 31.0 .0.0/8 126.96.36.199/7 188.8.131.52/8 184.108.40.206/8 220.127.116.11/8 18.104.22.168/8 22.214.171.124/7 76.0.0. 0/6 126.96.36.199/8 188.8.131.52/7 184.108.40.206/6 220.127.116.11/3 18.104.22.168/8 22.214.171.124/7 176.0.0. 0/5 126.96.36.199/6 188.8.131.52/8 184.108.40.206/8 220.127.116.11/8 18.104.22.168/8 240.0.0.0/4"
# Private IPv4 address space # Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx> # Revised by me according to RFC 3330. Explanation: # 10.0.0.0/8 => RFC 1918: IANA Private Use # 169.254.0.0/16 => Link Local # 192.0.2.0/24 => Test Net # 22.214.171.124/24 => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking addresses # 192.168.0.0/16 => RFC 1918: Private use PRIVATE_IPS="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 126.96.36.199/24 192.168.0.0/16"
Description: OpenPGP digital signature