[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

Geoffrey Goodell wrote:
# reject private networks (no surprises!)  My understanding is that you
# might want to eliminate the line if your kernel
# short-circuits connections to local services and if you want those
# services to be available to Tor users who happen to choose your Tor
# node as an exit... someone please correct me if this is wrong.

ExitPolicy reject*
ExitPolicy reject*
ExitPolicy reject*
ExitPolicy reject*
ExitPolicy reject*
ExitPolicy reject*

# reject ports officially used for protocols that were never meant to be
# anonymous (e.g. email, usenet) because of the spam risk, thus reducing
# our worry that the world would associate Tor with pro-spam advocacy.

ExitPolicy reject *:25
ExitPolicy reject *:119

Speaking of usenet, several people on this list (including me) have had problems with their server being blacklisted because someone used tor to abuse usenet via google. It might be nice for new tor operators if that was blocked by default.

Also, is the list of private networks above exhaustive?  I took my list
of networks to block from my firewall list (from firehol.sourceforge.net):

# IANA Reserved IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
# Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx>
# Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
# The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.

# Private IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
# Revised by me according to RFC 3330. Explanation:
#       => RFC 1918: IANA Private Use
#   => Link Local
#     => Test Net
#   => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking
#   => RFC 1918: Private use

regards, Valient

Attachment: signature.asc
Description: OpenPGP digital signature