Hello Tom and Konstantinos,
On Mar 30, 2012 14:18:35, "Jef Heri" <jefheri1 at yahoo.com> wrote:
Hello list,
[snip]
Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address (https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc?
[snip]
Thanks!
On Mar 30, 2012 14:43:09, "Tom Ritter" <tom at ritter.vg> wrote:
It's my understanding that if you put the following Exit Policy in your torrc:
ExitPolicyRejectPrivate 0 ExitPolicy accept 97.107.139.108 ExitPolicy reject *:*
Where 97.107.139.108 is your IP address (that one's mine), you will Exit Enclave to your site, not allow any other exit traffic, you will be a normal tor relay (meaning you should check your bandwidth limits/accounting), and you will become the preferred path for Tor traffic to your site. [snip]
On 30 March 2012 14:50:49, Konstantinos Asimakis <inshame at gmail.com> wrote:
Wouldn't it be safer to accept connections only on port 80? Else he would be exposing the whole machine.
On 30 March 2012 14:43:09, "Tom Ritter" <tom at ritter.vg> wrote:
Hm. I don't know. If you have a local firewall that blocks access to say, samba, from external addresses, but allows it locally - would tor allow you to access the port, because it appears that the connection from coming locally?
If you're already exposing port 22 on the internet, I would argue allowing it through tor exit enclaving isn't increasing your risk any. But if tor lets you bypass the firewall - then there's a concern.
-tom
On Mar 30, 2012 15:02:04, Konstantinos Asimakis <inshame at gmail.com> wrote:
I bet it will bypass the firewall but until someone else answers play it safe and allow only the ports you need. ;-)
Thank you both for the interesting back and fourth. I think I tend to side with Konstantinos, and since my site will only offer SSL (not http), I guess I should setup to only accept connections from 443, correct?
Thank you both.