Is it possible to have a pool of ip addresses as the outbound ip addresses instead of just one?
Hi,
On 04/05/2019 22:17, amytain wrote:
Is it possible to have a pool of ip addresses as the outbound ip addresses instead of just one?
Not as I understand it from reading the torrc manual page, although you might be able to implement something like this through NAT rules on your firewall.
You can advertise multiple OR ports for incoming connections (I think) but if you advertise too many your server descriptor will become too large (it contains all your OR port addresses) and will not be accepted. Every time your addresses change in server descriptors it resets a bunch of timers, and the directory authorities see you as less "stable", so it's best to not make regular changes there.
Thanks, Iain.
So I could possibly use a firewall/ip-asa rule to go through the ips and just specify one in the torrc then
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, May 4, 2019 9:47 PM, Iain Learmonth irl@torproject.org wrote:
Hi,
On 04/05/2019 22:17, amytain wrote:
Is it possible to have a pool of ip addresses as the outbound ip addresses instead of just one?
Not as I understand it from reading the torrc manual page, although you might be able to implement something like this through NAT rules on your firewall.
You can advertise multiple OR ports for incoming connections (I think) but if you advertise too many your server descriptor will become too large (it contains all your OR port addresses) and will not be accepted. Every time your addresses change in server descriptors it resets a bunch of timers, and the directory authorities see you as less "stable", so it's best to not make regular changes there.
Thanks, Iain.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
On 04/05/2019 23:32, amytain wrote:
So I could possibly use a firewall/ip-asa rule to go through the ips and just specify one in the torrc then
Exactly. I'm not sure about ASA specifically, but I know Cisco IOS supports "pools" for NATs.
One issue that might happen here though is if this is distributing per connection then users might find they get logged out of services with different IP addresses showing up at the server.
It is not uncommon that a login session is tied to an IP address, so not having a fixed exit IP address is probably a bad idea now that I think more about it (or at least not without tor handling how exit IPs are used).
Thanks, Iain.
It is not uncommon that a login session is tied to an IP address, so not having a fixed exit IP address is probably a bad idea now that I think more about it (or at least not without tor handling how exit IPs are used).
Yes randomly changing source IPs without stream awareness is a bad idea. Tor Browser avoids changing source IP for a given destination for this very reason.
On Sat, 04 May 2019 23:41:19 +0000, Iain Learmonth wrote: ...
It is not uncommon that a login session is tied to an IP address,
That is already broken, at least for mobile devices - switching between WiFi and mobile data, and T-Mobile Germany also has the habit of changing IPv6 addresses when moving bigger distances.
- Andreas
amytain:
Is it possible to have a pool of ip addresses as the outbound ip addresses instead of just one?
it is currently not possible but it would be worthwhile to have that feature in tor. I wrote about this last year on the tor-dev mailing list and I'd like to write a proposal for it eventually.
This will not be in tor anytime soon though.
tor-relays@lists.torproject.org
-
amytain -
Andreas Krey -
Iain Learmonth -
nusenu