[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exclude nodes from certain countries



     On Sun, 16 Sep 2007 17:18:49 -0400 misc <misc@xxxxxxxxxxx> wrote:
>On Sun, 16 Sep 2007 01:25:51 -0500 (CDT), Scott Bennett wrote:
>
>>      I'd strongly recommend that you start with the tor overview
>> document at
>> 
>> 	https://tor.eff.org/overview
>> 
>> paying special attention to the cartoon describing how circuits are built,
>> which should begin to straighten you out on some of the other misconceptions
>> you've indicated regarding tor.  To learn about the process in greater detail,
>> continue reading at
>> 
>> 	http://tor.eff.org/svn/trunk/doc/spec/path-spec.txt
>> 
>>      To understand how tor clients (and servers) know what choices of servers
>> are available, you need to read the directory protocol document(s) appropriate
>> to the version of tor you run.  For 0.1.2.1[67], read
>> 
>> 	http://tor.eff.org/svn/trunk/doc/spec/dir-spec-v2.txt
>> 
>>  For 0.2.0.6-alpha, read the above and
>> 
>> 	http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt
>
>Thanks Scott,
>
>I understand now that Tor client downloads network-status documents with
>descriptors of available onion routers and then chooses the routers for
>building circuits from that list. I understand that tor client connects
>directly only to entry nodes, and never makes a direct connection with
>middle or exit nodes (unless they're later used as entry nodes for
>different circuits).

     Well, almost.  There is a sublety there in that "entry node" is not
exactly synonymous with "entry guard".  An entry node is simply the first
node of a circuit and can be any tor server currently accepting connections
on its ORPort.  If one's torrc contains "UseEntryGuards 1" or that value
is allowed to default to 1, then the tor client will limit the choices for
the entry node for a new circuit to tor servers marked "Guard" in a status
document.   But it sounds like you have the idea now.
>
>I understand that I can use firewall to control the entry nodes used (the
>firewall would prevent connecting to bad IPs, certain countries, etc). But

     Yes, that would work, but might be a real pain to live with because of
all the delays you could encounter when tor tries to contact a server
blocked by your firewall and has to wait for the timeout before trying to
reach a different one.  "ExcludeNodes" would be much faster because tor
would know in advance not to bother connecting to those servers.  The problem
then becomes one of maintaining the list of excluded nodes.
     There is another option, though.  You can specify a list of "EntryNodes"
to use, as well as a list of "ExitNodes" in your torrc.  These lists would
be the pools from which servers would be chosen first for those circuit
positions.  If you set "StrictEntryNodes 1" and "StrictExitNodes 1", then
those will be the only ones that can be chosen.  You could choose a reasonably
sized list of servers that meet your criteria for entry or exit nodes, and
then just live with those, rather than trying to maintain a huge and
dynamic list of nodes to exclude.

>I still do NOT see how Tor connections to entry nodes can be controlled
>with Squid.

     Can't help you there.  I know nothing about squid.
>
>It would make sense to use Protowall (with a blocklist from bluetack.co.uk)
>to prevent connections to bad IP ranges. That way entry nodes run by
>various "bad" organizations will not be used.

     I don't know Protowall either.
>
>But I'm still left with a problem of how to avoid nodes from certain
>countries. What especially bothers me is when ALL THREE NODES are chosen
>from the same bad country. I would really like to avoid that. 

     You don't really have to worry about the middle nodes.
>
>I hope solution for Windows will come soon.

     Give "EntryNodes" - "StrictEntryNodes" and "ExitNodes" - "StrictExitNodes"
methods a try.  If you pick, say, 25 - 50 nodes with long uptimes, you should
be okay.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************