Re: [tor-bugs] #18214 [Tor]: exit policy wrongly displayed in globe, atlas etc.

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#18214: exit policy wrongly displayed in globe, atlas etc.
------------------------------------------------+--------------------------
 Reporter:  toralf                              |          Owner:
     Type:  defect                              |         Status:  new
 Priority:  Medium                              |      Milestone:  Tor:
Component:  Tor                                 |  0.2.8.x-final
 Severity:  Normal                              |        Version:  Tor:
 Keywords:  security 027-backport 026-backport  |  0.2.7.6
Parent ID:                                      |     Resolution:
  Sponsor:                                      |  Actual Points:
                                                |         Points:
------------------------------------------------+--------------------------
Changes (by teor):

 * keywords:   => security 027-backport 026-backport
 * status:  needs_information => new
 * version:   => Tor: 0.2.7.6
 * milestone:  Tor: 0.2.??? => Tor: 0.2.8.x-final


Comment:

 There are two issues here:

 tor could simplify descriptors better:
 {{{
 reject *:80
 ...
 accept *:80-81
 }}}
 should become:
 {{{
 reject *:80
 ...
 accept *:81
 }}}
 This issue can be confirmed using globe:
 âhttps://globe.torproject.org/#/relay/F1BE15429B3CE696D6807F4D4A58B1BFEC45C822

 tor also appears to be leaving some torrc ExitPolicy entries out of the
 descriptor:
 {{{
 ExitPolicy reject *:20-21
 ExitPolicy reject *:22
 ExitPolicy reject *:23
 ...
 ExitPolicy reject *:554
 ExitPolicy reject *:8000
 ExitPolicy reject *:8080
 }}}
 This is a serious security issue if these ExitPolicy entries are not being
 applied by the relay. On the other hand, if the entries are being applied
 on the relay, but aren't in the descriptor, it will slow clients down, as
 they believe the relay will allow ports which it then refuses.

 From the stem output, it appears that the ExitPolicy entries are being
 correctly parsed by tor. But they aren't making it into the descriptor.

 toralf, can you confirm if you have sent a HUP to your relay, or restarted
 the tor process, since changing the config?
 Are you only running one tor process?

 toralf's relay is running tor 0.2.7.6.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18214#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs