> On 5 May 2017, at 06:03, nusenu <nusenu-lists@xxxxxxxxxx> wrote: > > Hi, > > since I really like this new feature > I added [1] initial autoconfiguration support for it to ansible-relayor > (user can opt-in via a single boolean and we automate the rest). > > I want to make sure I do this correctly and would like your feedback on > the following questions: You should probably specify OutboundBindAddressOR [IPv6] as well. Several upcoming IPv6 features require relays to make outgoing IPv6 OR connections: * Missing IPv6 ORPort reachability check https://trac.torproject.org/projects/tor/ticket/6939 * Enable relays to talk to other relays via IPv6 https://trac.torproject.org/projects/tor/ticket/4565 And maybe: * Change clients to automatically use IPv6 if they can bootstrap over it https://trac.torproject.org/projects/tor/ticket/17217 If you don't specify OutboundBindAddressOR [IPv6], any IPv6 connections a relay makes will go via the OS routing table, which may use the same address as OutboundBindAddressExit. > a) > Is 'OutboundBindAddressOR' in the following context optional (in the > sense that it does not change tor's behavior)? > > ExitRelay 1 > ExitPolicy reject *:25,accept *:* > ORPort 1.2.3.4:9001 > OutboundBindAddress 1.2.3.4 > OutboundBindAddressOR 1.2.3.4 > OutboundBindAddressExit 7.7.7.7 > > is identical to: > > ExitRelay 1 > ExitPolicy reject *:25,accept *:* > ORPort 1.2.3.4:9001 > OutboundBindAddress 1.2.3.4 > OutboundBindAddressExit 7.7.7.7 > > (since according to the manual page OutboundBindAddress*OR* would just > override OutboundBindAddress, which is not needed in the above example > since they match) Yes, they are identical in current tor versions. There is currently no OutboundBindAddressDNS, but there might be in future. So please use OutboundBindAddress if you mean "all non-exit connections", and OutboundBindAddressOR if you mean "remote ORPort and DirPort connections". Also, the documentation is unclear, and we need to fix it: https://trac.torproject.org/projects/tor/ticket/22145 > b) > Is it ok to set OutboundBindAddressExit for IPv4 only, even if we set > 'IPv6Exit 1' or is setting an IPv6 OutboundBindAddressExit address > required after setting OutboundBindAddressExit for IPv4? > > Since this question might be a bit confusing I'll give an example in > form of torrc lines: > > > ORPort 1.2.3.4:9001 > OutboundBindAddress 1.2.3.4 > OutboundBindAddressExit 7.7.7.7 > IPv6Exit 1 > ExitRelay 1 > ExitPolicy reject *:25,accept *:* > > (this config has an IPv4 OutboundBindAddressExit entry but no IPv6 > OutboundBindAddressExit entry) This means that IPv6 Exit connections will use the OS routing table. > c) > Similar to (b) is it ok to enable OutboundBindAddressExit for IPv6 only? This means that IPv4 Exit connections will use the OS routing table. > d) > Is it ok if multiple tor instances on the same host use the same > OutboundBindAddressExit address? > (ignoring the fact that big exits might run out of source ports?) Yes, tor does not use any specific source ports for outgoing connections. > ... > [1] > https://github.com/nusenu/ansible-relayor/commit/00fa7c571e8b6f6256092d992831598ad73201db T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev