[tor-relays] BadExit

gerard at bulger.co.uk gerard at bulger.co.uk
Fri Mar 27 13:17:37 UTC 2020


Thanks.  Funny that my long time restricted IPv4 port 80 exit was noticed just now giving the bad exit tag.   I suspect the hour one of my  server was quarantined by my ISP may have precipitated the system to look hard.

As for my single /8 for port 80, for reason not clear to me, having many ports open including 443 open to all, IPV6 open on port 80 to all, while restricting IPV4 to a single /8 stops all abuse complaints.  I have been free of abuse complaints and copyright claims for two years now.   I tried to offer more IPv4 /8 ranges but abuses notices soon popped up, as if traffic is being en-route by some agencies.   The free-text nature of port 80 meant contents read too easily, and IPV6 still not used enough... yet.
  
Gerry

-----Original Message-----
From: tor-relays <tor-relays-bounces at lists.torproject.org> On Behalf Of Georg Koppen
Sent: 27 March 2020 12:40
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] BadExit

teor:
> Hi,
> 
>> On 27 Mar 2020, at 02:00, niftybunny <abuse-contact at to-surf-and-protect.net> wrote:
>>
>> My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ?
>>
>>> On 26. Mar 2020, at 15:06, gerard at bulger.co.uk wrote:
>>>
>>> "btw, you need to have at least port 80 and 443 … port 80 is missing …"
>>>
>>> It there. But to a /8 area IPV4, all IPv6
>>>
>>> I have not changed my exit policy for years.  Port 80 is there, just limited to a  /8  network and all IPv6 addresses port 80 allowed.
>>> 443 all there IPv4 and IPv6
>>>
>>> Testing seems to be exiting OK, but badexit tag still there.
> 
> The Exit flag only request one IPv4 /8 :
> https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628
> 
> But if the network health team is testing a different IPv4 /8, then 
> your relay might appear down.

Yep, I think that's what happened. I'll get the badexit flag removed from both of your relays and think about ways for improving our tests.
Sorry for the inconvenience.

(FWIW: I sent an email to the address you put into your ContactInfo. I heard that mails for Tor Project addresses repeatedly land in spam folders. Maybe that happened this time, too.)

> (If the DNS for the site they are testing has both IPv4 and IPv6, then 
> the outcome will depend on their tor version and config. 0.4.3 and 
> later will prefer IPv6 by default.)

Not sure what Arthur is running but I am just using what Debian ships on the box I run the tests, which is currently 0.3.5.8. I guess it might be worth thinking about switching away from that. Maybe tracking and using the version Tor Browser ships is smarter?

Georg




More information about the tor-relays mailing list