[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: any of Tor operators receiving mail from MediaSentry Copyright Infringement?



On Mon, Oct 10, 2005 at 09:13:48AM -0400, Geoffrey Goodell wrote:
> 1. Your exit policy is not the default.  We now recommend setting this
> as your exit policy:

Thanks, adopted. 
 
> reject 0.0.0.0/255.0.0.0:*
> reject 169.254.0.0/255.255.0.0:*
> reject 127.0.0.0/255.0.0.0:*
> reject 192.168.0.0/255.255.0.0:*
> reject 10.0.0.0/255.0.0.0:*

Question: if I have a local network in 10.3.0.0
(virtual TUN/TAP interface), can I change this
policy without causing problems. (10.0.0.0/255.0.0.0
isn't routable, anyway, right? This is to prevent
spillover of unroutable traffic into Tor network, and not
something against spoofing, correct?)

> reject 172.16.0.0/255.240.0.0:*
> reject *:25
> reject *:119
> reject *:135-139
> reject *:445
> reject *:465
> reject *:587
> reject *:1214
> reject *:4661-4666
> reject *:6346-6429
> reject *:6699
> reject *:6881-6999
> accept *:*
> 
> Note that this is both more reasonable about well-known ports and more
> restrictive in ranges often chosen by P2P filesharing networks.
> 
> 2. As long as you are in the business of digging around in the
> application layer for clues about whether you should filter a connection
> or not, and in so doing provide Tor users with uncertainty about whether
> their connections will satisfy the filtering constraints or not, you

I don't. I understand that this is hairy, and just wanted to know
whether it is currently feasible to block specific protocols (such
as BitTorrent) in the ExitPolicy. It is not, so end of story.

> might as well just put your Tor router behind a firewall of your own,
> with a script to drop connections whose application-layer payloads or
> traffic patterns you consider evil.  Indeed, the possibilities are

It has to be a pretty smart firewall to track an entire BitTorrent
session sufficiently to be able to recognize it and to drop it.
Also, if I had such a firewall which would block outgoing Tor
traffic it recognizes it would not be reflected in the Tor exit 
policy, and the local Tor node would cheerfully send it out
where it will be chomped up by the firewall. This would violate
the expectations of any user.

> endless, and ultimately cannot be expressed using simple policy
> statements.  Entering the market for application-layer
> filtering is a slippery slope.

So I gathered. Thanks.

-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

Attachment: signature.asc
Description: Digital signature