[or-cvs] Add private:* as an alias in configuration for policies.

Nick Mathewson nickm at seul.org
Thu Dec 8 19:40:26 UTC 2005 

Update of /home/or/cvsroot/tor/doc
In directory moria:/tmp/cvs-serv13837/doc

Modified Files:
	TODO tor.1.in 
Log Message:
Add private:* as an alias in configuration for policies.

Index: TODO
===================================================================
RCS file: /home/or/cvsroot/tor/doc/TODO,v
retrieving revision 1.383
retrieving revision 1.384
diff -u -d -r1.383 -r1.384
--- TODO	8 Dec 2005 18:57:10 -0000	1.383
+++ TODO	8 Dec 2005 19:40:23 -0000	1.384
@@ -94,9 +94,10 @@
     - Implement
 
 N - Destroy and truncated cells should have reasons.
-N*- Add private:* alias in exit policies to make it easier to ban all the
+  o Add private:* alias in exit policies to make it easier to ban all the
     fiddly little 192.168.foo addresses.
-    (AGL had a patch; consider applying it.)
+    o Implement
+    o Document
 
   o warn if listening for SOCKS on public IP.
 

Index: tor.1.in
===================================================================
RCS file: /home/or/cvsroot/tor/doc/tor.1.in,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -d -r1.105 -r1.106
--- tor.1.in	4 Oct 2005 21:21:09 -0000	1.105
+++ tor.1.in	8 Dec 2005 19:40:23 -0000	1.106
@@ -387,22 +387,23 @@
 reject any traffic destined for localhost and any 192.168.1.* address, but
 accept anything else.
 
+To specify all internal networks (including 169.254.0.0/16,
+127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12), you can use
+the "private" alias instead of an address.  For example, to allow HTTP
+to 127.0.0.1 and block all other connections to internal networks, you
+can say "accept 127.0.0.1:80,reject private:*".  See RFC 3330 for more
+details about internal and reserved IP address space.
+
 This directive can be specified multiple times so you don't have to put
 it all on one line.
 
-See RFC 3330 for more details about internal and reserved IP address
-space. Policies are considered first to last, and the first match wins. If
+Policies are considered first to last, and the first match wins. If
 you want to _replace_ the default exit policy, end your exit policy with
 either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
 (prepending to) the default exit policy. The default exit policy is:
 .PD 0
 .RS 12
-.IP "reject 0.0.0.0/8" 0
-.IP "reject 169.254.0.0/16" 4
-.IP "reject 127.0.0.0/8"
-.IP "reject 192.168.0.0/16"
-.IP "reject 10.0.0.0/8"
-.IP "reject 172.16.0.0/12"
+.IP "reject private:*" 0
 .IP "reject *:25"
 .IP "reject *:119"
 .IP "reject *:135-139"

More information about the tor-commits mailing list