On Mon, Oct 10, 2005 at 09:13:48AM -0400, Geoffrey Goodell wrote: > 1. Your exit policy is not the default. We now recommend setting this > as your exit policy: Thanks, adopted. > reject 0.0.0.0/255.0.0.0:* > reject 169.254.0.0/255.255.0.0:* > reject 127.0.0.0/255.0.0.0:* > reject 192.168.0.0/255.255.0.0:* > reject 10.0.0.0/255.0.0.0:* Question: if I have a local network in 10.3.0.0 (virtual TUN/TAP interface), can I change this policy without causing problems. (10.0.0.0/255.0.0.0 isn't routable, anyway, right? This is to prevent spillover of unroutable traffic into Tor network, and not something against spoofing, correct?) > reject 172.16.0.0/255.240.0.0:* > reject *:25 > reject *:119 > reject *:135-139 > reject *:445 > reject *:465 > reject *:587 > reject *:1214 > reject *:4661-4666 > reject *:6346-6429 > reject *:6699 > reject *:6881-6999 > accept *:* > > Note that this is both more reasonable about well-known ports and more > restrictive in ranges often chosen by P2P filesharing networks. > > 2. As long as you are in the business of digging around in the > application layer for clues about whether you should filter a connection > or not, and in so doing provide Tor users with uncertainty about whether > their connections will satisfy the filtering constraints or not, you I don't. I understand that this is hairy, and just wanted to know whether it is currently feasible to block specific protocols (such as BitTorrent) in the ExitPolicy. It is not, so end of story. > might as well just put your Tor router behind a firewall of your own, > with a script to drop connections whose application-layer payloads or > traffic patterns you consider evil. Indeed, the possibilities are It has to be a pretty smart firewall to track an entire BitTorrent session sufficiently to be able to recognize it and to drop it. Also, if I had such a firewall which would block outgoing Tor traffic it recognizes it would not be reflected in the Tor exit policy, and the local Tor node would cheerfully send it out where it will be chomped up by the firewall. This would violate the expectations of any user. > endless, and ultimately cannot be expressed using simple policy > statements. Entering the market for application-layer > filtering is a slippery slope. So I gathered. Thanks. -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Attachment:
signature.asc
Description: Digital signature