1. Your exit policy is not the default. We now recommend setting this as your exit policy: reject 0.0.0.0/255.0.0.0:* reject 169.254.0.0/255.255.0.0:* reject 127.0.0.0/255.0.0.0:* reject 192.168.0.0/255.255.0.0:* reject 10.0.0.0/255.0.0.0:* reject 172.16.0.0/255.240.0.0:* reject *:25 reject *:119 reject *:135-139 reject *:445 reject *:465 reject *:587 reject *:1214 reject *:4661-4666 reject *:6346-6429 reject *:6699 reject *:6881-6999 accept *:* Note that this is both more reasonable about well-known ports and more restrictive in ranges often chosen by P2P filesharing networks. 2. As long as you are in the business of digging around in the application layer for clues about whether you should filter a connection or not, and in so doing provide Tor users with uncertainty about whether their connections will satisfy the filtering constraints or not, you might as well just put your Tor router behind a firewall of your own, with a script to drop connections whose application-layer payloads or traffic patterns you consider evil. Indeed, the possibilities are endless, and ultimately cannot be expressed using simple policy statements. Entering the market for application-layer filtering is a slippery slope. Geoff
Attachment:
signature.asc
Description: Digital signature