What should the default exit policy be?

Roger Dingledine arma at mit.edu
Wed Dec 10 09:32:38 UTC 2003


Here is a possible default exit policy. Individual nodes would be free to
have a more restrictive or less restrictive policy. Rules are in order,
first rule to match wins.

reject subnets 127/8, 192.168/16, 10/8, 172.16/12
accept ports 80(http), 443(https), 22(ssh), 20,21(ftp), 53(named),
  79(finger), 143(imap), 110(pop), 873(rsync)
accept ports 1024-*
reject *

Some questions:
a) Notice that we're rejecting everything else by default. Should
   the default be to accept all, and we just pick out the ports/subnets
   we're scared of (ports 139, 25, what else)? That opens us up even
   more to portscanning, etc of course. In part this is to ensure we
   don't run into too much trouble initially as we start to grow. But
   we should also consider whether it will be possible to tighten exit
   policies down the road, or only loosen them.
b) Speaking of which, I've left smtp off the list of approved ports. While
   it would be nice to have it, I don't know of anybody using it, and
   "by default you can't use the Tor network to deliver spam" seems like
   a nice phrase to be able to say to people.
c) What about spop / simap? What other privileged ports are missing that
   we should accept?

--Roger



More information about the tor-dev mailing list