[tor-relays] BadExit
gerard at bulger.co.uk
gerard at bulger.co.uk
Fri Mar 27 13:17:37 UTC 2020
Thanks. Funny that my long time restricted IPv4 port 80 exit was noticed just now giving the bad exit tag. I suspect the hour one of my server was quarantined by my ISP may have precipitated the system to look hard.
As for my single /8 for port 80, for reason not clear to me, having many ports open including 443 open to all, IPV6 open on port 80 to all, while restricting IPV4 to a single /8 stops all abuse complaints. I have been free of abuse complaints and copyright claims for two years now. I tried to offer more IPv4 /8 ranges but abuses notices soon popped up, as if traffic is being en-route by some agencies. The free-text nature of port 80 meant contents read too easily, and IPV6 still not used enough... yet.
Gerry
-----Original Message-----
From: tor-relays <tor-relays-bounces at lists.torproject.org> On Behalf Of Georg Koppen
Sent: 27 March 2020 12:40
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] BadExit
teor:
> Hi,
>
>> On 27 Mar 2020, at 02:00, niftybunny <abuse-contact at to-surf-and-protect.net> wrote:
>>
>> My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ?
>>
>>> On 26. Mar 2020, at 15:06, gerard at bulger.co.uk wrote:
>>>
>>> "btw, you need to have at least port 80 and 443 … port 80 is missing …"
>>>
>>> It there. But to a /8 area IPV4, all IPv6
>>>
>>> I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed.
>>> 443 all there IPv4 and IPv6
>>>
>>> Testing seems to be exiting OK, but badexit tag still there.
>
> The Exit flag only request one IPv4 /8 :
> https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628
>
> But if the network health team is testing a different IPv4 /8, then
> your relay might appear down.
Yep, I think that's what happened. I'll get the badexit flag removed from both of your relays and think about ways for improving our tests.
Sorry for the inconvenience.
(FWIW: I sent an email to the address you put into your ContactInfo. I heard that mails for Tor Project addresses repeatedly land in spam folders. Maybe that happened this time, too.)
> (If the DNS for the site they are testing has both IPv4 and IPv6, then
> the outcome will depend on their tor version and config. 0.4.3 and
> later will prefer IPv6 by default.)
Not sure what Arthur is running but I am just using what Debian ships on the box I run the tests, which is currently 0.3.5.8. I guess it might be worth thinking about switching away from that. Maybe tracking and using the version Tor Browser ships is smarter?
Georg
More information about the tor-relays
mailing list