On Sun, Jul 15, 2018 at 05:53:13PM +0100, Iain Learmonth wrote:
Exit policies are the way to configure this. Please do not try to filter specific uses of a protocol using DPI. Application-level filtering/firewalls is a good way to get the BadExit flag.
I know this wasn't the original question, but I think it will be useful to add:
In addition, though the line isn't black-and-white, declining to handle traffic based on destination IP address or port is more on the "address" side of things, whereas DPI by payload is more on the "content" side of things. And the closer you are to making decisions based on content, the closer you are to wiretapping, and also the closer you are to taking responsibility for the content that you do "decide" to let through. So it is a bad move from a legal perspective to go that route.
As for the ethics question, I think everybody who is offering exit capacity of any sort is doing a good deed for the world, and people contribute according to what their circumstances allow, and to me that's very reasonable.
--Roger