[tor-relays] Questions about exit enclaves

Jef Heri jefheri1 at yahoo.com
Sat Mar 31 13:20:23 UTC 2012


Hello Tom and Konstantinos,

>>>>> On Mar 30, 2012 14:18:35, "Jef Heri" <jefheri1 at yahoo.com> wrote:
>>>>>
>>>>> Hello list,
>>>>>
>>>>> [snip]
>>>>>
>>>>> Is it correct that a exit enclave will act as a
>>>>> 'normal' exit node, as well as the exit enclave for its IP
>>>>> address (https://trac.torproject.org/projects/tor/ticket/800)?
>>>>> If so, is it possible to block exit to any IP other than the
>>>>> node's own IP via torrc file? If not, maybe I could only
>>>>> allow exists to white-list IPs, such as Tor Project web site
>>>>> IP, EFF IP, and etc?
>>>>>
>>>>> [snip]
>>>>>
>>>>> Thanks!

>>>> On Mar 30, 2012 14:43:09, "Tom Ritter" <tom at ritter.vg> wrote:
>>>> 
>>>> It's my understanding that if you put the following Exit Policy in your torrc:
>>>> 
>>>> ExitPolicyRejectPrivate 0
>>>> ExitPolicy accept 97.107.139.108
>>>> ExitPolicy reject *:*
>>>> 
>>>> Where 97.107.139.108 is your IP address (that one's mine), you will
>>>> Exit Enclave to your site, not allow any other exit traffic, you will
>>>> be a normal tor relay (meaning you should check your bandwidth
>>>> limits/accounting), and you will become the preferred path for Tor
>>>> traffic to your site.
>>>> [snip]

>>> On 30 March 2012 14:50:49, Konstantinos Asimakis <inshame at gmail.com> wrote:
>>> 
>>> Wouldn't it be safer to accept connections only on port 80? Else he
>>> would be exposing the whole machine.

>> On 30 March 2012 14:43:09, "Tom Ritter" <tom at ritter.vg> wrote:
>>
>> Hm.  I don't know.  If you have a local firewall that blocks access to
>> say, samba, from external addresses, but allows it locally - would tor
>> allow you to access the port, because it appears that the connection
>> from coming locally?
>>
>> If you're already exposing port 22 on the internet, I would argue
>> allowing it through tor exit enclaving isn't increasing your risk any.
>>  But if tor lets you bypass the firewall - then there's a concern.
>>
>> -tom

> On Mar 30, 2012 15:02:04, Konstantinos Asimakis <inshame at gmail.com> wrote:
>
> I bet it will bypass the firewall but until someone else answers play it
> safe and allow only the ports you need. ;-)

Thank you both for the interesting back and fourth. I think I tend to side with Konstantinos, and since my site will only offer SSL (not http), I guess I should setup to only accept connections from 443, correct?

Thank you both.


More information about the tor-relays mailing list