[tor-dev] Proposal 186: Multiple addresses for one OR or bridge
Karsten Loesing
karsten.loesing at gmx.net
Thu Sep 22 07:43:39 UTC 2011
Hi Nick,
a few comments to proposal 186 below:
On 9/21/11 8:13 PM, Nick Mathewson wrote:
> In consonance with our changes to the (Socks|Trans|NATD|DNS)Port
> options made in 0.2.3.x for proposal 171, I make a corresponding
> change to allow multiple SocksPort options and deprecate
> SocksListenAddress.
When you say "Socks" in this document in most cases you mean "OR".
> The new syntax will be:
>
> "SocksPort" PortDescription Options?
The syntax allows multiple options per SocksPort line, right? Would
that be "Options*" then?
> The 'NoListen' option tells Tor to advertise an address, but not
> bind to it. The operator needs to use some other mechanism to
> ensure that ports are redirected to ports that _are_ listened on.
Do we need to check that we have at least one SocksPort line without the
NoListen option?
> In current operating systems (unless we get into crazy nonportable
> tricks) we need to use one socket for every address:port that Tor
> bind on. As a sanity check, we can limit the number of such
> sockets we use to, say, 64. If you want to bind lots more
> address:port combinations, you'll want to do it at the
> firewall/routing level.
64 seems very high for the number sockets to open. If someone wants to
open more than 8 sockets and doesn't know how to edit firewall rules,
that person probably shouldn't be opening this number of sockets.
> Example: Our firewall is redirecting ports 80, 443, and 7000-8000
> on all hosts in x.244.2.0/24 onto our port 2929.
>
> SocksPort 2929 no-advertise
> SocksPort x.244.2.0/24:80,443,7000-8000 no-listen
"no-advertise" -> "noadvertise"
"no-listen" -> "nolisten"
The "/24" should probably also go away.
> Example: We have a dynamic DNS provider that maps
> tornode.example.com to our current external IPv4 and IPv6
> addresses. Our firewall forwards port 443 on those address to our
> port 1337.
>
> SocksPort 1337 no-advertise alladdrs
> SocksPort tornode.example.com:443 no-bind alladdrs
"no-advertise" -> "noadvertise"
"no-bind" -> "nolisten"
I wonder what the effect of putting in a dynamic hostname is. Tor uses
an IP address in the server descriptor anyway, and wouldn't it find out
the IP address(es) by itself?
> It will now be possible for a Tor node to find that some addresses
> work and others do not. In this case, the node should only
> advertise socksport lines that have been checked.
What if a partial SocksPort line was found to work, that is, if only a
few ports work?
> A node must not list more than 8 or-address lines.
Should there also be a restriction of PORTSPECs per line? I can imagine
how these lines can get quite long: 1.2.3.4:1-2,4-5,7-8,...
Rest looks good!
Best,
Karsten
More information about the tor-dev
mailing list