[tor-bugs] #7349 [Core Tor/Tor]: Obfsbridges should be able to "disable" their ORPort

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 19 20:34:36 UTC 2020 

#7349: Obfsbridges should be able to "disable" their ORPort
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  (none)
     Type:  project                              |         Status:  new
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-bridge, SponsorZ, tor-pt,        |  Actual Points:
  proposal-needed, censorship, sponsor19, 040    |
  -roadmap-proposed, anti-censorship-roadmap     |
Parent ID:                                       |         Points:  10
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor28-can
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:48 dfiguera]:
 > arma said:
 > > The bridge operator can also set AssumeReachable 1 in her torrc config
 file, and then firewall the port, and I bet that would work, but it isn't
 the sort of thing every bridge operator will be able to do.
 >
 > I've tried that in my bridge, but it couldn't publish its descriptor.
 > Maybe if the firewall makes an exception for the DirAuths (and any other
 needed host) it will work?

 Is it an inbound or outbound firewall?

 Bridges need to make outbound connections to all relays, including
 directory authorities and the bridge authority. (Effectively every address
 on the Internet, because new relays join the network all the time.)

 Bridges need to accept inbound connections to their ORPort from the bridge
 authority (for its reachability checks), and from other relays (for the
 bridge's ORPort reachability self-treats), and from clients. (So any
 address on the Internet.)

 In any case, bridges currently require an IPv4 ORPort to publish their
 descriptor. If we remove that requirement, then IPv6 bridges wth outbound
 IPv4 connectivity will work. And we won't need the AssumeReachable
 workaround any more.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7349#comment:49>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list