Hi
I would like to operate an IPv6 only exit node. I.e. it's fine if tor relays through IPv4, but I want exiting traffic only through IPv6 (because I don't want my (only) IPv4 to be blocked, abused and such).
The way I thought this would work is with the ExitPolicy set as below. But atlas says my IPv6 Exit Policy Summary would be "ExitPolicy reject *:*".
Now I'm wondering if my ExitPolicy is wrong defined or if that's a bug of some kind.
I'm running Tor v0.2.7.5 (git-6184c873e90d93b2) on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
# No IPv4 exit, no exit to my own subnet, no exit to private network, no exit to link local ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet ExitPolicy reject6 [FC00::]/7:* # Block private IPv6 ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6 ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses ExitPolicy reject6 *:25 # SMTP ExitPolicy reject6 *:119 # NNTP ExitPolicy reject6 *:135-139 # NetBIOS ExitPolicy reject6 *:445 # Microsoft AD ExitPolicy reject6 *:563 # NNTP over TLS ExitPolicy reject6 *:1214 # Kazaa ExitPolicy reject6 *:4661-4666 # ? ExitPolicy reject6 *:6346-6429 # Gnutella ExitPolicy reject6 *:6699 # WinMX ExitPolicy reject6 *:6881-6999 # BitTorrent ExitPolicy accept6 *:* # All else ExitPolicy reject private:* # Block private IPv4 ExitPolicy reject *:* # Block all IPv4
## If set, and we are an exit node, allow client to use us for IPv6 traffic IPv6Exit 1
Am 2015-12-15 um 18:23 schrieb Hans Wurscht:
Hi
I would like to operate an IPv6 only exit node. I.e. it's fine if tor relays through IPv4, but I want exiting traffic only through IPv6 (because I don't want my (only) IPv4 to be blocked, abused and such).
The way I thought this would work is with the ExitPolicy set as below. But atlas says my IPv6 Exit Policy Summary would be "ExitPolicy reject *:*".
Now I'm wondering if my ExitPolicy is wrong defined or if that's a bug of some kind.
I'm running Tor v0.2.7.5 (git-6184c873e90d93b2) on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
# No IPv4 exit, no exit to my own subnet, no exit to private network, no exit to link local ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet ExitPolicy reject6 [FC00::]/7:* # Block private IPv6 ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6 ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses ExitPolicy reject6 *:25 # SMTP ExitPolicy reject6 *:119 # NNTP ExitPolicy reject6 *:135-139 # NetBIOS ExitPolicy reject6 *:445 # Microsoft AD ExitPolicy reject6 *:563 # NNTP over TLS ExitPolicy reject6 *:1214 # Kazaa ExitPolicy reject6 *:4661-4666 # ? ExitPolicy reject6 *:6346-6429 # Gnutella ExitPolicy reject6 *:6699 # WinMX ExitPolicy reject6 *:6881-6999 # BitTorrent ExitPolicy accept6 *:* # All else ExitPolicy reject private:* # Block private IPv4 ExitPolicy reject *:* # Block all IPv4
## If set, and we are an exit node, allow client to use us for IPv6 traffic IPv6Exit 1
See https://lists.torproject.org/pipermail/tor-relays/2015-August/007612.html
On 16 Dec 2015, at 04:23, Hans Wurscht tor@x2a.ch wrote:
Hi
I would like to operate an IPv6 only exit node. I.e. it's fine if tor relays through IPv4, but I want exiting traffic only through IPv6 (because I don't want my (only) IPv4 to be blocked, abused and such).
You won't get the Exit flag unless you exit to at least one IPv4 /8, on at least: * port 80 & 443, or * port 80 & 6667, or * port 443 & 6667.
It's a documented issue that a relay can still get the Exit flag by exiting to an unused IPv4 /8 that's not in Tor's list of private addresses.
The way I thought this would work is with the ExitPolicy set as below. But atlas says my IPv6 Exit Policy Summary would be "ExitPolicy reject *:*".
I don't know if Atlas does this because your relay doesn't have the Exit flag, or because your relay's policy rejects everything, or because your relay's policy doesn't allow IPv4.
Now I'm wondering if my ExitPolicy is wrong defined or if that's a bug of some kind.
What is the exit policy in your relay's descriptor?
I'm running Tor v0.2.7.5 (git-6184c873e90d93b2) on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
These rules look like they should work as you describe. (Tor 0.2.7 was fixed to make accept6/reject6 only produce IPv6 rules.) Let me do some testing to see if you've uncovered a bug.
# No IPv4 exit, no exit to my own subnet, no exit to private network, no exit to link local
This is wise. Tor will block your own IPv6 address, but it doesn't know about your subnet:
ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet
Tor blocks private addresses by default, so these lines are redundant, but harmless:
ExitPolicy reject6 [FC00::]/7:* # Block private IPv6 ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6
Tor doesn't block 6to4 addresses by default, so this is useful:
ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses
...
This should make sure most IPv6 ports are accepted, because it comes before the reject rules. You could try: "ExitPolicy accept6 *6:*", but it should have exactly the same outcome.
ExitPolicy accept6 *:* # All else
This actually blocks private IPv4 and IPv6, and it's redundant because Tor blocks private addresses by default:
ExitPolicy reject private:* # Block private IPv4
This actually blocks IPv4 and IPv6:
ExitPolicy reject *:* # Block all IPv4
## If set, and we are an exit node, allow client to use us for IPv6 traffic IPv6Exit 1
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 12/15/2015 07:25 PM, Tim Wilson-Brown - teor wrote:
This is wise. Tor will block your own IPv6 address, but it doesn't know about your subnet:
ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet
Just clarify it for me : the ":*" isn't needed here, or ?
- -- Toralf, pgp: C4EACDDE 0076E94E
On 21 Dec 2015, at 03:36, Toralf Förster toralf.foerster@gmx.de wrote:
Signed PGP part On 12/15/2015 07:25 PM, Tim Wilson-Brown - teor wrote:
This is wise. Tor will block your own IPv6 address, but it doesn't know about your subnet:
ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet
Just clarify it for me : the ":*" isn't needed here, or ?
It isn't needed, Tor assumes that any address without a port rejects or accepts all ports on that address.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays@lists.torproject.org
-
Hans Wurscht -
Martin Kepplinger -
Tim Wilson-Brown - teor -
Toralf Förster