[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making TOR exit-node IP address configurable

On 3/10/11 2:04 AM, Robert Ransom wrote:
> On Wed, 09 Mar 2011 23:29:16 +0100
> "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx> wrote:
>> On 3/9/11 11:20 PM, Robert Ransom wrote:
>>> Try running "man tor |grep -C5 OutboundBindAddress".
>> You didn't got the technical need, the need is to redirect only TOR-exit
>> traffic.
>> OutboundBindAddress make *all*, including intra-tor, communications go
>> trough that IP address:
>> "Make all outbound connections originate from the IP address specified.
>>  This is only useful when you have multiple network interfaces, and  you
>>  want all of Torâs outgoing connections to use a single one."
>> I've been thinking about a settings for TOR-Exit only traffic.
>>> But I'm not surprised that someone who wants to perform content
>>> censorship on a Tor exit node is too clueless to find that Tor
>>> configuration option, or to find out that iptables can apply different
>>> rules to the user ID under which Tor is running.
>> Yes but that's more complex, with iptables you can redirect TCP ports,
>> but from your TOR node not all traffic going for example to port 80 is
>> http, but a lot of it it's TOR.
>> If you redirect it to a transparent proxy you'll break intra-tor
>> communications, and so you can't just make an easy redirect with iptables.
> Ah!  Now I get it.  You want to censor non-HTTP connections on port 80,
> and probably Google searches for "Robert'); DROP TABLE Students;--" (a
> quote from one popular web comic) as well.
> I've opened a relevant enhancement ticket.  See
> <https://trac.torproject.org/projects/tor/ticket/2697>.

Very cool, will participate, but please understand that one things is
censorship, another things is doing proper filtering for the benefit of
TOR's end-users and TOR network grow itself.

Detecting some kind of strong mangling of traffic is good, but a
properly done and finely tuned system:
a) doesn't provide trouble to end-user
b) is not easy to be detected

That way a TOR maintainer would be able to protect itself from serious,
concrete, demostrable web-attacks such as evident sql injection and web
brute force.

The TOR exit scanner as the final user will not even notice that and in
the TOR economics everyone will be happier :-)

tor-talk mailing list