[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: end-to-end encryption question

On Wed, 19 Sep 2007, Roger Dingledine wrote:

> If your webserver rejects requests from, that's bad, and it
> will break people trying to reach your website from your Tor server.
> The reason for this is that many modern OSes look at the destination
> (, realize they've got a better route for that, and decide to
> route it via
> (This might not be true for your favorite OS -- I'm not sure which OSes
> have this behavior -- but in practice it's true for enough of them that
> many people run into it.)
> > > b) If I have "ExitPolicyRejectPrivate 1" in my torrc, does that
> > > prevent such end-to-end encryption?
> No, because Tor looks at the address ( and your exit policy is
> fine with it. It's only later, in the OS, that it gets switched over.

Not quite.

Assume my external interface - eth0 - is configured to have the IP

If I connect to that address from my own computer the destination
address will always stay - there's no magic switching behind
the scenes.  That request is routed - on linux at least - through the lo
interface however.

As for source address, that depends on a few factors again.  If you bind
to using OutboundBindAddress then that's the source address
that will be used.  If you don't specify one then the kernel will pick
one for you.  That's probably going to be again but there's
no reason why it couldn't be  Especially IPv6 likes to use
::1 (IPv6's version of in such instances.

                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/