Hi list,
I was looking for suggestions/discussion on very conservative policies for an exit relay. I run a relay now that is "reject *:*" and I wanted to open up a few exit ports. I don't want to open up major ports due to potential abuse issues. My server host states that, although they do allow Tor, there is a chance of the relay being terminated at their will [1].
I was considering using a whitelist exit policy and opening up only the following ports to be "safe": 43 - WHOIS protocol 53 - DNS 389 - LDAP 464,543,544,749 - Kerberos 531 - AOL IM 636 - LDAP over SSL 706 - SLIC 873 - rsync 5190 - ICQ and AOL Instant Messenger 5222,5223,5269,5280,5281,5298 - XMPP 5353 - Multicast DNS 5999 - CVSup 8332,8333 - Bitcoin 9091 -Transmission (BitTorrent client) Web Interface 11371 - OpenPGP key server 64738 - Mumble/Murmur
I constructed the list based on a quick skimming of the WP ports list [2]. I suspect allowing IRC would eventually be grounds for my host to terminate my relay.
This would be my first time running an exit relay and I'd be happy to hear advice and suggestions!
Thanks, Steve
[1] https://trac.torproject.org/projects/tor/wiki/doc/ISPCorrespondence#OVH [2] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
This is a good place to start:
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
On Tuesday, February 10, 2015 5:57pm, "Stephen R Guglielmo" srguglielmo@gmail.com said:
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Hi list,
I was looking for suggestions/discussion on very conservative policies for an exit relay. I run a relay now that is "reject *:*" and I wanted to open up a few exit ports. I don't want to open up major ports due to potential abuse issues. My server host states that, although they do allow Tor, there is a chance of the relay being terminated at their will [1].
I was considering using a whitelist exit policy and opening up only the following ports to be "safe": 43 - WHOIS protocol 53 - DNS 389 - LDAP 464,543,544,749 - Kerberos 531 - AOL IM 636 - LDAP over SSL 706 - SLIC 873 - rsync 5190 - ICQ and AOL Instant Messenger 5222,5223,5269,5280,5281,5298 - XMPP 5353 - Multicast DNS 5999 - CVSup 8332,8333 - Bitcoin 9091 -Transmission (BitTorrent client) Web Interface 11371 - OpenPGP key server 64738 - Mumble/Murmur
I constructed the list based on a quick skimming of the WP ports list [2]. I suspect allowing IRC would eventually be grounds for my host to terminate my relay.
This would be my first time running an exit relay and I'd be happy to hear advice and suggestions!
Thanks, Steve
[1] https://trac.torproject.org/projects/tor/wiki/doc/ISPCorrespondence#OVH [2] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
On 02/11/2015 12:06 AM, Steve Snyder wrote:
This is a good place to start:
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
+1
But even with the reduced policy I was spammed w/ DCMA emails 12 hours after I installed and configured my Tor relay as an exit.
My strategy was then to just open few ports *below* 1024 and wait 1-3 weeks to give time enough f companies to update their black list with the IP address of my relay. After that I opened port after port over the next weeks - works fine and flawlessly now, just one mail per month from my provider related to port scan attacks "originated" from my server (and one time my ISP helped" me to solve the problem by cutting the network):
https://globe.torproject.org/#/relay/F1BE15429B3CE696D6807F4D4A58B1BFEC45C82...
On Tue, Feb 10, 2015 at 4:57 PM, Stephen R Guglielmo srguglielmo@gmail.com wrote: "safe":
This would be my first time running an exit relay and I'd be happy to hear advice and suggestions!
According to the spec, your relay will never gain the exit flag without 2/3 of 80, 443, 6667.
"Exit" -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space.
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt
Hope that helps, Jeremy
On Tue, 10 Feb 2015 17:21:05 -0600 Jeremy Olexa jolexa@jolexa.net wrote:
On Tue, Feb 10, 2015 at 4:57 PM, Stephen R Guglielmo srguglielmo@gmail.com wrote: "safe":
This would be my first time running an exit relay and I'd be happy to hear advice and suggestions!
According to the spec, your relay will never gain the exit flag without 2/3 of 80, 443, 6667.
"Exit" -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space.
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt
Hope that helps, Jeremy
Jeremy,
Ah, I didn't know that. That's disappointing, but I think I'll still look into opening up a few services. I'll go through the wiki/doc/ReducedExitPolicy document.
Thanks!
Hey Stephen,
I'm a relatively new operator, and I run over a half dozen Reduced Exit relays and a few middle relays.
Abuse complaints shouldn't be common coming from IRC - the main culprits for complaints are DMCA and related for alleged IP (Intellectual Property) theft. That would be your torrents and other downloading services. The Reduced Exit Policy disables the ports traditionally used by those services. (But its rude to download off Tor anyway.......)
But remember, a "Very Safe" exit policy is also a very restrictive policy. You may unintentionally inhibit legal activities/dissent/communication/free flow of knowledge.
Also, regarding whether it's a reduced exit, or full blown wide open: It is most definitely strongly encouraged, and sensible to put up a tor exit notice. IMHO get this setup before you open your ports. Define the intention before you implement the decision. There are template notices available that only need minor modifications.
As well, it's always good to contact your provider and let them know that you're running a Tor relay. I contacted mine, let them know what I was intending to do, how many I was planning on setting up, and I specifically asked for them to contact me immediately over any concern. They were more than kind, and understanding. This sets up a positive environment for when they may in the future get some complaints - they will already know it's not YOU per se, and that no malice was intended. Even if your provider says they permit it, let them know anyway.
The whole matter of whether or not the companies that file the complaints have a legal leg to stand on, depending on country, is well beyond the scope of this email. But it is VERY important to understand your rights and responsibilities regarding retransmission of data, as well as that of your provider. In many cases, country dependant, your provider cannot be held liable for retransmission, nor can you. I would STRONGLY encourage you to read as much as possible about this as possible before running an exit relay of any type.
Again, I'm relatively new so others could slam my comments as ignorant or whatever... There is a ton of information available to you. If you're concerned about running an exit relay, I would suggest getting confident (and damn proud) of running a middle relay first, then when comfortable move toward a Reduced Exit policy.
Kind regards,
Matt Speak Freely
On Tue, 10 Feb 2015 17:21:05 -0600 Jeremy Olexa jolexa@jolexa.net wrote:
According to the spec, your relay will never gain the exit flag without 2/3 of 80, 443, 6667.
"Exit" -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space.
I'd love to see 6697 in this set as an alternative to 6667. Irrespective of the fact that you can - and many people do - speak irc over lots of different ports, this is the one most often used for IRC via TLS.
On 11.02.2015 00:21, Jeremy Olexa wrote:
On Tue, Feb 10, 2015 at 4:57 PM, Stephen R Guglielmo According to the spec, your relay will never gain the exit flag without 2/3 of 80, 443, 6667.
"Exit" -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space.
What does this mean in practice - would no traffic be relayed via this node? Or is it just some internal Tor flag which doesn't affect relaying traffic? I've been thinking about opening a few ports on my currently relay-only node and none of {80,443,6667} were on that list.
On Tue, Feb 10, 2015 at 6:21 PM, Jeremy Olexa jolexa@jolexa.net wrote:
On Tue, Feb 10, 2015 at 4:57 PM, Stephen R Guglielmo srguglielmo@gmail.com wrote: "safe":
This would be my first time running an exit relay and I'd be happy to hear advice and suggestions!
According to the spec, your relay will never gain the exit flag without 2/3 of 80, 443, 6667.
"Exit" -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space.
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt
Hope that helps, Jeremy
Sadly, anyone concerned about their ISP flipping out can't afford to have these ports open.
I tried running an exit for a bit and it lasted a few weeks before some brainless wonder hijacked someone's Gmail with my exit, so I had to pull it down and go relay only.
-Chris
On Tuesday, February 17, 2015 11:02am, "Chris Patti" cpatti@gmail.com said: [snip]
I tried running an exit for a bit and it lasted a few weeks before some brainless wonder hijacked someone's Gmail with my exit, so I had to pull it down and go relay only.
Me too. I dearly wish there a way to block webmail while still leaving access to the parent site. Unfortunately, Google, Yahoo, AOL, etc. make it very difficult to separate their mail services from their overall web presence.
On Tue, Feb 17, 2015 at 11:02:45AM -0500, Chris Patti wrote:
I tried running an exit for a bit and it lasted a few weeks before some brainless wonder hijacked someone's Gmail with my exit, so I had to pull it down and go relay only.
Even worse (or maybe better), this sort of thing happens when a Tor user connects to her Gmail, and then Google warns her that there was a Tor connection and omg it's time to freak out, and then she freaks out.
I mean, maybe it happened the way you describe, but also maybe it didn't. The large services like Gmail and Facebook have been struggling over the past few years to find the right balance between "if there's a connection from Tor, tell the user to freak out" and "actually for some users connecting over Tor is totally the smarter move, and we should encourage that".
--Roger
Thanks for that Roger, it's a valid point. How do they simultaneously protect the rights of their actual users while warning against all the bad actors that feel the need to defecate all over such an important service (Tor, that is :).
Part of me thinks that some kind of system like the way car insurance works in the US with 'points' might make sense, but that would totally break the whole point of Tor - to provide anonymity for its users.
Bleah.
Pesky humans :)
-Chris
On Tue, Feb 17, 2015 at 11:55 AM, Roger Dingledine arma@mit.edu wrote:
On Tue, Feb 17, 2015 at 11:02:45AM -0500, Chris Patti wrote:
I tried running an exit for a bit and it lasted a few weeks before some brainless wonder hijacked someone's Gmail with my exit, so I had to pull it down and go relay only.
Even worse (or maybe better), this sort of thing happens when a Tor user connects to her Gmail, and then Google warns her that there was a Tor connection and omg it's time to freak out, and then she freaks out.
I mean, maybe it happened the way you describe, but also maybe it didn't. The large services like Gmail and Facebook have been struggling over the past few years to find the right balance between "if there's a connection from Tor, tell the user to freak out" and "actually for some users connecting over Tor is totally the smarter move, and we should encourage that".
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Chris Patti -
GDR! -
Jeremy Olexa -
Roger Dingledine -
Speak Freely -
Stephen R Guglielmo -
Steve Snyder -
tor@as250.net -
Toralf Förster