[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Exits behind a next-gen firewall? Opinions please



Jesse Victors:
> I've been running some exit nodes for some time now, and they're doing
> well. They've burned through many terabytes of bandwidth, and thanks
> to Tor's recommended reduced exit policy, complaints have been
> minimal. Clearly the vast majority of the Tor traffic is not
> malicious, but I have received some reports from other companies and
> from my ISP of hacking attempts: SQL Injection, XSS, botnet C&C, basic
> things like that. My ISP now tells me that they could reduce the
> reports even further by routing the exits through a "next-generation
> firewall" which apparently can detect an obvious clearnet attack and
> drop that connection a few milliseconds after the attack occurs.

You don't want that.

For Tor to work properly, once a packet is delivered to your exit (and
the destination is accepted) the packet must be delivered. Otherwise,
you are breaking the network and the relay will be a BadExit.

But you really don't want that because if you start looking at the
traffic and selecting the traffic, then you become liable for what you
transport (at least in Europe).

-- 
Lunar                                             <lunar@xxxxxxxxxxxxxx>

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays