This time I'm stumped. I confess I have not followed this list for a long time until the last few days, so it's possible that I've run afoul of something already discussed. Late Wednesday afternoon, I restarted my relay (MYCROFTsOtherChild), which changed it from 0.3.0.6 to 0.3.0.7. That was the only change I made. It went through a normal startup and published its descriptor. After a few hours, tor noticed that its descriptor was still not in the latest consensus, so it republished it. After several more hours had passed with each consensus lacking my relay's descriptor, I made a small change to an ExitPolicy line in torrc. In the meantime, I had read some recent postings to this list and had noted some remarks regarding mismatched RSA and ED25519 keys, so I renamed /var/db/tor/keys and restarted tor again, whereupon it generated new keys and appeared to proceed normally. Once again a new descriptor was published and has since been republished and updated with no apparent problem beyond some republications being told by one or more authorities that the descriptor was rejected as "not new". Nevertheless, my relay's descriptor still has not appeared in a consensus since the last time it ran 0.3.0.6. If an authority operator would be so kind as to check the authority's logs for any errors pertaining to my relay with either its old keys or its new keys and let me know what they say, I would be grateful. Thanks for any help or suggestions of things to try.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
Scott Bennett:
In the meantime, I had read some recent postings to this list and had noted some remarks regarding mismatched RSA and ED25519 keys,
Since I was one of the persons mentioning key pinning on this list I'd like to clarify my previous info [1] about the key pinning enforced by dir auths.
[1] https://lists.torproject.org/pipermail/tor-relays/2017-May/012390.html :
Reminder: When you play around with this feature: always make sure to keep your Ed25519 + RSA keys. If your Ed25519 key changes while the RSA key remains, your relay will be rejected since these keys are pinned (for security).
This safeguard has been introduced in tor 0.3.0.x and will only be in effect once enough tor directory authorities run a version with that feature and the setting at its default value, which is currently not yet the case so the problem you are having is unlikely related to key pinning. https://consensus-health.torproject.org/#authorityversions
On Sun, Jun 04, 2017 at 12:30:20AM -0500, Scott Bennett wrote:
Late Wednesday afternoon, I restarted my relay (MYCROFTsOtherChild),which changed it from 0.3.0.6 to 0.3.0.7. That was the only change I made. It went through a normal startup and published its descriptor. After a few hours, tor noticed that its descriptor was still not in the latest consensus
Interesting mystery! You always have the most exciting mysteries. :)
I just instrumented moria1 to be more detailed on why it doesn't find each relay reachable, and here's what I found:
Jun 04 18:12:44.147 [info] dirserv_single_reachability_test(): Testing reachability of MYCROFTsOtherChild at 73.246.41.113:32323. Jun 04 18:13:47.147 [info] connection_handle_write_impl(): in-progress connect to 73.246.41.113:32323 failed. Removing. (Connection timed out)
Jun 04 18:34:04.205 [info] dirserv_single_reachability_test(): Testing reachability of MYCROFTsOtherChild at 73.246.41.113:32323. Jun 04 18:35:07.205 [info] connection_handle_write_impl(): in-progress connect to 73.246.41.113:32323 failed. Removing. (Connection timed out)
So it would appear that it's trying to make a TCP connection, and after 63 seconds, it decides it's not going to work.
It would seem that 6 of the 8 directory authorities are not voting the Running flag, so I guess they are seeing something similar (or would be if they hacked their logs up to display it).
This is weird, because when I telnet to your IP:port, it connects easily. And when I set your IP:port as my bridge address, my Tor client bootstraps fine.
So I am left wondering if there's something different about how Tor requests that the system launch a TCP connection, or if Comcast or your system is somehow filtering (or not being able to handle) certain connection attempts.
--Roger
Roger Dingledine arma@mit.edu wrote:
On Sun, Jun 04, 2017 at 12:30:20AM -0500, Scott Bennett wrote:
Late Wednesday afternoon, I restarted my relay (MYCROFTsOtherChild),which changed it from 0.3.0.6 to 0.3.0.7. That was the only change I made. It went through a normal startup and published its descriptor. After a few hours, tor noticed that its descriptor was still not in the latest consensus
Interesting mystery! You always have the most exciting mysteries. :)
A lifelong problem, I'm afraid. I started bumping into compiler and library bugs at 16 or 17 that nobody had reported. It was all unintentional on my part. BTW, some time back, I noticed that the uptime instability in heartbeat messages returned, or perhaps it's a new one. It reports the first 3600-second heartbeat period at 0:59 hours, and each one thereafter is at n:59 hours. If the system is under some particularly heavy load, I've seen the time lengthen to where the messages show up as late as n:04 hours.
I just instrumented moria1 to be more detailed on why it doesn't find each relay reachable, and here's what I found:
Jun 04 18:12:44.147 [info] dirserv_single_reachability_test(): Testing reachability of MYCROFTsOtherChild at 73.246.41.113:32323. Jun 04 18:13:47.147 [info] connection_handle_write_impl(): in-progress connect to 73.246.41.113:32323 failed. Removing. (Connection timed out)
Jun 04 18:34:04.205 [info] dirserv_single_reachability_test(): Testing reachability of MYCROFTsOtherChild at 73.246.41.113:32323. Jun 04 18:35:07.205 [info] connection_handle_write_impl(): in-progress connect to 73.246.41.113:32323 failed. Removing. (Connection timed out)
So it would appear that it's trying to make a TCP connection, and after 63 seconds, it decides it's not going to work.
It would seem that 6 of the 8 directory authorities are not voting the Running flag, so I guess they are seeing something similar (or would be if they hacked their logs up to display it).
Which versions are the Running votes coming from versus the non-Running?
This is weird, because when I telnet to your IP:port, it connects easily. And when I set your IP:port as my bridge address, my Tor client bootstraps fine.
So I am left wondering if there's something different about how Tor requests that the system launch a TCP connection, or if Comcast or your system is somehow filtering (or not being able to handle) certain connection attempts.
I have a few commands in a crontab entry that extract relay IP addresses from the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry. Anything left over gets passed. This setup has been in place for many years without problems. It does leave open the possibility that a relay that has started recently and is not yet listed in the most recently downloaded consensus could get failures until it does show up, but that would be very temporary. Also, authorities should basically always be in the relays list that is checked first. Again, 0.3.0.6 was working fine up until I shut it down. The restart was then as 0.3.0.7 and has not "worked" yet, although I'm still using the client functions without problems. Also, my relay had no problem connecting to itself during its reachability and "bandwidth" testing. Have significant numbers of other relays vanished from the consensus after changing to 0.3.0.7? Roger, thanks very much for taking a look at this problem. I've been running this relay for almost ten years, and I would like to continue to do so, even though it doesn't normally get a lot of traffic anymore. If there's anything you would like me to try, please let me know. Hmmm...a dim memory has blossomed while I've been typing here. Some years ago there was a problem with a version of openssl that couldn't talk to itself. That time I could see lots of connection attempts with no connections becoming established, however. In that situation, tor was unable to connect to itself during reachability testing, so it never published a descriptor and continued to try to connect until I shut it down. FWIW, the latest heartbeat messages were:
Jun 04 18:35:21.761 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 04 18:35:21.762 [notice] Heartbeat: Tor's uptime is 3 days 4:59 hours, with 2 circuits open. I've sent 19.71 MB and received 181.87 MB. Jun 04 18:35:21.762 [notice] Average packaged cell fullness: 48.015%. TLS write overhead: 11% Jun 04 18:35:21.762 [notice] Circuit handshake stats since last time: 0/0 TAP, 0/0 NTor. Jun 04 18:35:21.762 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 140 v4 connections; and received 4 v1 connections, 0 v2 connections, 2 v3 connections, and 1168 v4 connections.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On Sun, Jun 04, 2017 at 07:14:06PM -0500, Scott Bennett wrote:
Which versions are the Running votes coming from versus the non-Running?
You can see the votes at https://www.seul.org/~arma/moria1-v3-status-votes
I have a few commands in a crontab entry that extract relay IP addressesfrom the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry.
Well heck. Sounds like we have a winner here.
Turn off your weird censorship infrastructure, confirm that things start working after a while, and now you have something to debug. :)
--Roger
Roger Dingledine arma@mit.edu wrote:
On Sun, Jun 04, 2017 at 07:14:06PM -0500, Scott Bennett wrote:
Which versions are the Running votes coming from versus the non-Running?You can see the votes at https://www.seul.org/~arma/moria1-v3-status-votes
Very interesting indeed. The only two Running votes are from tor26 and maatuska, which are the only Authority relays running 0.3.0.7. All the other authorities are running 0.2.9.9, 0.2.9.10, or 0.3.0.7-dev. (!) I'm not quite sure what to make of that, except that it appears that 0.3.0.7 is compatible with itself.
I have a few commands in a crontab entry that extract relay IP addressesfrom the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry.
Well heck. Sounds like we have a winner here.
How so? If all traffic from the relay addresses is passed? I suppose I should have mentioned, because I use pf, that the rules use the "quick" flag:
pass in quick on nfe0 proto tcp from <TorRelays> to nfe0 port 32323 flags S/SA label "ORPort from relays" pass in quick on nfe0 proto tcp from <TorRelays> to nfe0 port 32326 flags S/SA label "DirPort from relays" block drop in quick on nfe0 from <Crackers> to any pass in quick on nfe0 proto tcp from any to nfe0 port 32323 flags S/SA label "ORPort from others" pass in quick on nfe0 proto tcp from any to nfe0 port 32326 flags S/SA label "DirPort from others"
IOW, the rules act in a normal, logical sequence, rather than in the reversed order, remaindered way that is pf's standard method of operation. (I haven't the foggiest idea why the OpenBSD folks designed pf that way.) Note that TorRelays is the table generated by the crontab job, and Crackers is the table of offending addresses that I block. By passing all relay traffic first, it never hits the third rule. The fourth and fifth rules let all traffic from non-offending clients through, as well as any traffic from new relays that do not appear in the most recently downloaded consensus or in the Crackers table.
Turn off your weird censorship infrastructure, confirm that things
I must strenuously object. First, I am not a government, thus I have no censorship powers. Second, all computer operators/sysadmins have the right to defend their systems. If you think that blocking attackers is weird, then I suggest that that is your issue, not mine.
start working after a while, and now you have something to debug. :)
As I noted before, my setup has been working for many years without problems. It is only with the change to 0.3.0.7 from 0.3.0.6 that the problem in question has appeared. Convince me that that is irrelevant, please.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
Roger Dingledine arma@mit.edu wrote:
Or at least partially solved, at any rate. The problem is solved, but the mystery remains.
On Sun, Jun 04, 2017 at 07:14:06PM -0500, Scott Bennett wrote:
Which versions are the Running votes coming from versus the non-Running?You can see the votes at https://www.seul.org/~arma/moria1-v3-status-votes
I have a few commands in a crontab entry that extract relay IP addressesfrom the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry.
Well heck. Sounds like we have a winner here.
Turn off your weird censorship infrastructure, confirm that things start working after a while, and now you have something to debug. :)
The misuse of the word "censorship" aside, I tried disabling pf and restarting tor. To my surprise, the authorities connected to my relay successfully and distributed its information in subsequent consensuses! I do not know why, which is the remaining mystery. However, having to turn off one's firewall in order to run tor is not a solution to the problem. But, while going back through the logs, I noticed the following among tor's startup messages.
Jun 05 23:25:46.849 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 100020bf: OpenSSL 1.0.2k 26 Jan 2017; running with 100020cf: OpenSSL 1.0.2l 25 May 2017). Jun 05 23:25:46.895 [notice] Tor 0.3.0.7 (git-cfd9c1bdc0582656) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.0.2l and Zlib 1.2.8.
The date of 25 May 2017 means that my last run of 0.3.0.6 was using an older OpenSSL version, but 0.3.0.7 was using the newer one, although it had been compiled with the earlier version shown in the first message. I'm not sure how that might interact badly with pf at all. However, I rebuilt 0.3.0.7, stopped the running copy, enabled pf, and restarted tor to run from the rebuilt version. Enough authorities must be happy with it because they are now distributing its information in the consensus and also its most recent descriptor. In summary, the problem is resolved, but the mystery remains unsolved. What I think I know is that the mismatched openssl stub and library versions somehow interact with pf and pre-0.3.0.7 tor authorities in some mysterious manner that causes connections from those authorities to my relay to fail, but connections from 0.3.0.7 authorities to work just fine. Having the stub version and the library version be identical apparently avoids the erroneous interaction(s).
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On 8 Jun 2017, at 18:44, Scott Bennett bennett@sdf.org wrote:
Roger Dingledine arma@mit.edu wrote:
Or at least partially solved, at any rate. The problem is solved,but the mystery remains.
On Sun, Jun 04, 2017 at 07:14:06PM -0500, Scott Bennett wrote:
Which versions are the Running votes coming from versus the non-Running?You can see the votes at https://www.seul.org/~arma/moria1-v3-status-votes
I have a few commands in a crontab entry that extract relay IP addressesfrom the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry.
Well heck. Sounds like we have a winner here.
Turn off your weird censorship infrastructure, confirm that things start working after a while, and now you have something to debug. :)
The misuse of the word "censorship" aside, I tried disabling pf andrestarting tor. To my surprise, the authorities connected to my relay successfully and distributed its information in subsequent consensuses! I do not know why, which is the remaining mystery. However, having to turn off one's firewall in order to run tor is not a solution to the problem.
If your firewall is blocking connections that tor needs to make, turning off that rule is precisely the solution to the problem.
What I think I know is that the mismatched openssl stub and library versions somehow interact with pf and pre-0.3.0.7 tor authorities in some mysterious manner that causes connections from those authorities to my relay to fail, but connections from 0.3.0.7 authorities to work just fine. Having the stub version and the library version be identical apparently avoids the erroneous interaction(s).
It's possible. But to confirm, you'd need to provide the sections of the firewall log that show what happens when a directory authority tries to check the reachability of your relay.
(As an aside, I'd encourage you not to keep logs at this level on an ongoing basis, they would contain client IP addresses and connection times.)
Or perhaps your firewall collected enough state to want to block tor while it was running, and lost that state when you turned it off and on again.
You have a complex enough system that there are probably more possibilities neither of us have thought of.
I'd keep an eye on things over the next few weeks.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
teor teor2345@gmail.com wrote:
On 8 Jun 2017, at 18:44, Scott Bennett bennett@sdf.org wrote:
Roger Dingledine arma@mit.edu wrote:
Or at least partially solved, at any rate. The problem is solved,but the mystery remains.
On Sun, Jun 04, 2017 at 07:14:06PM -0500, Scott Bennett wrote:
Which versions are the Running votes coming from versus the non-Running?You can see the votes at https://www.seul.org/~arma/moria1-v3-status-votes
I have a few commands in a crontab entry that extract relay IP addressesfrom the most recently received consensus, sort them, and load them into a table in pf. They run every 15 minutes. Anything coming from the addresses in the table is immediately passed. Anything not passed gets checked against a much larger table of probers, attempted intruders, etc. and is blocked if it matches a table entry.
Well heck. Sounds like we have a winner here.
Turn off your weird censorship infrastructure, confirm that things start working after a while, and now you have something to debug. :)
The misuse of the word "censorship" aside, I tried disabling pf andrestarting tor. To my surprise, the authorities connected to my relay successfully and distributed its information in subsequent consensuses! I do not know why, which is the remaining mystery. However, having to turn off one's firewall in order to run tor is not a solution to the problem.
If your firewall is blocking connections that tor needs to make, turning off that rule is precisely the solution to the problem.
As noted more than once previously, the pf rules *pass* all traffic from relay addresses *first*, so that traffic has already gone on to tor before the block list is applied. As also noted previously, the rules had not (and still have not) been changed in a long time. They were working just fine for years, and then suddenly they were not. Now they are working just fine again since tor got rebuilt, so they are not the problem.
What I think I know is that the mismatched openssl stub and library versions somehow interact with pf and pre-0.3.0.7 tor authorities in some mysterious manner that causes connections from those authorities to my relay to fail, but connections from 0.3.0.7 authorities to work just fine. Having the stub version and the library version be identical apparently avoids the erroneous interaction(s).
It's possible. But to confirm, you'd need to provide the sections of the firewall log that show what happens when a directory authority tries to check the reachability of your relay.
That stuff isn't logged because it would soon exhaust the available disk space with garbage.
(As an aside, I'd encourage you not to keep logs at this level on an ongoing basis, they would contain client IP addresses and connection times.)
That's one reason; the other is the space and kernel overhead requirements.
Or perhaps your firewall collected enough state to want to block tor while it was running, and lost that state when you turned it off and on again.
I don't understand how an application could directly interfere with the packet filter's operation. I've previously posted the rules. As I described, it appears to be a problem of openssl misbehaving, apparently due to mismatched stub and library versions, though I don't understand how openssl trouble could occur with pf enabled and not occur with pf disabled. In any case, rebuilding tor so that the stub and library versions match has eliminated the problem. tor now plays nicely with the authorities, regardless of whether pf is enabled. Now, having said that, I should mention that tor does mess around with /dev/bpf, at least during startup, which is one reason why tor has to have root privileges during startup. I've never looked into exactly what it does with /dev/bpf, however, so I have no idea whether that could be involved and caused to malfunction somehow by openssl problems.
You have a complex enough system that there are probably more possibilities neither of us have thought of.
Complex? Compared to what? You've already seen the handful of rules involved, which includes some near duplication of ORPort rules to provide the same protection from miscreants to the DirPort that is given to the ORPort. In a nutshell, the rules look at incoming SYN packets to see if they come from tor relay addresses and immediately lets pass those that do. (By doing this step first, relay traffic is protected from the next step, even if the relay's address has gotten onto the block list, e.g., an exit that has been abused by some cracker or wannabe-cracker.) If they do not, then they are checked against a very large block list and, if found in the block list, are dropped with no RST. (Yes, I know dropping without RST violates the TCP standards, but crackers deserve no courtesies. Slowing them down is good. They can just wait until they time out.) Any SYN packets destined to the ORPort or DirPort that survive at this point are either from clients or from relays that have just started up and therefore do not yet appear in the relays list used in the first step. If a relay is new or has been down long enough to have been omitted from at least one consensus *and* is in the block list, then its SYNs will be dropped until up to 15 minutes after the next consensus that lists it has been downloaded. That is the only, and very temporary, situation in which the rules block traffic from legitimate source addresses. Authorities will rarely, and only briefly (i.e., not much over a couple of hours at most, certainly not *days*), ever be in this situation. There should *never* be a time when a majority of authorities is in this situation simultaneously. It's worth pointing out that, without pf's very efficient protection (or that of some other packet filter), tor itself is stuck with the load of handling useless inbound connection attempts. pf takes that load off of tor when it is caused by IPv4 addresses that are known sources of trouble.
I'd keep an eye on things over the next few weeks.
I think I will be keeping an eye on openssl updates to make sure that tor gets rebuilt each time the openssl library gets replaced, now that I know that openssl updates can subvert one of the advantages of dynamically linked libraries. :-(
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On Thu, 08 Jun 2017 09:43:00 -0500 Scott Bennett bennett@sdf.org wrote:
As noted more than once previously, the pf rules *pass* all trafficfrom relay addresses *first*, so that traffic has already gone on to tor before the block list is applied.
There are most likely some relays which use a different IP for outgoing connections than what is listed in the consensus, due to multiple IPs or provider multihoming. Your scheme does not seem to account for that, so those connections may fail. In effect you will be leaving the Tor network permanently semi-broken by running a relay while employing such filtering.
In any case I don't think there is any reasonable threat scenario against which you must protect by not just allowing all connections from anywhere to ORPort/DirPort of a Tor relay.
Roman Mamedov rm@romanrm.net wrote:
Hi Roman!
On Thu, 08 Jun 2017 09:43:00 -0500 Scott Bennett bennett@sdf.org wrote:
As noted more than once previously, the pf rules *pass* all trafficfrom relay addresses *first*, so that traffic has already gone on to tor before the block list is applied.
There are most likely some relays which use a different IP for outgoing connections than what is listed in the consensus, due to multiple IPs or provider multihoming. Your scheme does not seem to account for that, so those connections may fail. In effect you will be leaving the Tor network permanently semi-broken by running a relay while employing such filtering.
You're right. I recall spending a lot of time trying to find a way to get those addresses, so that I could include them in the TorRelays table or some other arrangement to let their traffic through. Unfortunately, tor doesn't publish them anywhere that I could find nor did anything else back at the time I set these rules and tables up. However, I figured most relays probably have only a single WAN interface, so the rules would probably cause few failures. Also, clients don't give up after something like that, but rather continue to try more circuits, so the end user may experience a short delay, but won't actually go unserved in such cases. Consider another case. Users have often complained that running a tor relay results in their IP addresses being blocked by all manner of services around the Internet. The providers of those services say they have suffered attacks originating from tor relays. The project's response was to create an automatically, frequently updated list of IP addresses of exit relays and make that list available for download by anyone wishing to block traffic from tor exits, while allowing traffic from all other relays. That list of addresses suffers the same problem of not including alternative IP addresses for those relays. Even worse, troublesome connections from those alternative addresses *can* be traced back, in some cases, to the exit relay. Once those services have identified the offending traffic as coming from a machine they had been promised by the tor project would be in the downloadable list of exit relay addresses, they may decide that they had been deceived by the tor project, which could lead to many bad things in the future.
In any case I don't think there is any reasonable threat scenario against which you must protect by not just allowing all connections from anywhere to ORPort/DirPort of a Tor relay.
That is something that each system administrator has to determine for the system(s) under his care. My determination for my system apparently differs from your evaluation of your situation. What originally prompted me to look into using a packet filter to block traffic from identifiable sources of trouble was the frequency of attacks on my system. It was so intense at times that even the kernel was complaining in console messages that it was limiting RSTs to 200/s. These messages were happening so fast that syslogd was reducing them in most cases with messages like "last line repeated 1353 times" (not an exact quotation, but I'm sure you've seen syslogd's message flood response before). At first, setting
net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1
seemed to take care of the problem. However, after a couple of years, the messages resumed. China, Malaysia, Nigeria, and a few other countries were being especially persistent and aggravating in the frequency of their attacks. (Just in case, I've since added "net.inet.sctp.blackhole=2" to the above list.) Although providing a tor relay and directory is currently the only thing my system offers to benefit other people, I decided that, if I ever chose to offer other services, I would want to deny those services to the offending parties, too, which is why those block rules apply to all ports on my system and not only to tor's ports. The pass rules apply to traffic destined to tor's ports.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On Thu, Jun 08, 2017 at 05:30:37PM -0500, Scott Bennett wrote:
Consider another case. Users have often complained that running a torrelay results in their IP addresses being blocked by all manner of services around the Internet. The providers of those services say they have suffered attacks originating from tor relays. The project's response was to create an automatically, frequently updated list of IP addresses of exit relays and make that list available for download by anyone wishing to block traffic from tor exits, while allowing traffic from all other relays. That list of addresses suffers the same problem of not including alternative IP addresses for those relays. Even worse, troublesome connections from those alternative addresses *can* be traced back, in some cases, to the exit relay. Once those services have identified the offending traffic as coming from a machine they had been promised by the tor project would be in the downloadable list of exit relay addresses, they may decide that they had been deceived by the tor project, which could lead to many bad things in the future.
I think we might have to agree to disagree about a lot of these topics, but I wanted to correct this one.
The bulk exit list: https://check.torproject.org/cgi-bin/TorBulkExitList.py along with TorDNSEL is designed to handle exactly this situation, and it does it pretty well.
--Roger
Roger Dingledine arma@mit.edu wrote:
On Thu, Jun 08, 2017 at 05:30:37PM -0500, Scott Bennett wrote:
Consider another case. Users have often complained that running a torrelay results in their IP addresses being blocked by all manner of services around the Internet. The providers of those services say they have suffered attacks originating from tor relays. The project's response was to create an automatically, frequently updated list of IP addresses of exit relays and make that list available for download by anyone wishing to block traffic from tor exits, while allowing traffic from all other relays. That list of addresses suffers the same problem of not including alternative IP addresses for those relays. Even worse, troublesome connections from those alternative addresses *can* be traced back, in some cases, to the exit relay. Once those services have identified the offending traffic as coming from a machine they had been promised by the tor project would be in the downloadable list of exit relay addresses, they may decide that they had been deceived by the tor project, which could lead to many bad things in the future.
I think we might have to agree to disagree about a lot of these topics, but I wanted to correct this one.
The bulk exit list: https://check.torproject.org/cgi-bin/TorBulkExitList.py along with TorDNSEL is designed to handle exactly this situation, and it does it pretty well.
Okay, I'll take your word for it, but I'm curious to know the source of the addresses collected if tor doesn't report them.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On 9 Jun 2017, at 08:30, Scott Bennett bennett@sdf.org wrote:
Roman Mamedov rm@romanrm.net wrote:
On Thu, 08 Jun 2017 09:43:00 -0500 Scott Bennett bennett@sdf.org wrote:
As noted more than once previously, the pf rules *pass* all trafficfrom relay addresses *first*, so that traffic has already gone on to tor before the block list is applied.
There are most likely some relays which use a different IP for outgoing connections than what is listed in the consensus, due to multiple IPs or provider multihoming. Your scheme does not seem to account for that, so those connections may fail. In effect you will be leaving the Tor network permanently semi-broken by running a relay while employing such filtering.
This also excludes any direct client connections to your relay. For an Exit, clients should only connect if UseEntryGuards is 0 (the default is 1, except for Tor2Web and Single Onion Service clients).
It also excludes connections from relays that come up and down frequently.
You're right. I recall spending a lot of time trying to find a way toget those addresses, so that I could include them in the TorRelays table or some other arrangement to let their traffic through. Unfortunately, tor doesn't publish them anywhere that I could find nor did anything else back at the time I set these rules and tables up. However, I figured most relays probably have only a single WAN interface, so the rules would probably cause few failures.
My relays have multiple IP addresses on a single WAN interface. They all use OutboundBindAddress to separate OR and Dir traffic from outbound traffic. And they make up about 1% of Tor guard/middle bandwidth.
I think you will find this is not an uncommon configuration among high-bandwidth relays.
Some directory authorities also have multiple IP addresses.
Also, clients don't give up after something like that, but rather continue to try more circuits, so the end user may experience a short delay, but won't actually go unserved in such cases.
What actually happens depends on a number of factors: * whether the other relay has successfully connected to your relay, * whether both relays think the connection is canonical, * whether either relay has a large exponential backoff on retries.
So in some cases, clients will be unable to connect to your exit via some middle relays. This reduces your exit traffic, and also reduces the number of different circuit paths available to clients. (Using a wide variety of paths is one of the building blocks of Tor's anonymity.)
My point is that there are a lot of moving parts here. And there could be multiple contributing factors, not just OpenSSL.
For the record, we generally suggest the following firewall configuration: * allow incoming connections to your ORPort and DirPort from any IP * allow all outgoing connections.
But we might have to agree to disagree here.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
teor teor2345@gmail.com wrote:
On 9 Jun 2017, at 08:30, Scott Bennett bennett@sdf.org wrote:
Roman Mamedov rm@romanrm.net wrote:
On Thu, 08 Jun 2017 09:43:00 -0500 Scott Bennett bennett@sdf.org wrote:
As noted more than once previously, the pf rules *pass* all trafficfrom relay addresses *first*, so that traffic has already gone on to tor before the block list is applied.
There are most likely some relays which use a different IP for outgoing connections than what is listed in the consensus, due to multiple IPs or provider multihoming. Your scheme does not seem to account for that, so those connections may fail. In effect you will be leaving the Tor network permanently semi-broken by running a relay while employing such filtering.
This also excludes any direct client connections to your relay. For an Exit, clients should only connect if UseEntryGuards is 0 (the default is 1, except for Tor2Web and Single Onion Service clients).
It only excludes client connections from IP addresses with a history of offending behavior against my system. That exclusion is an express aim of the packet filter rules I posted. By excluding their access to anything on my system, I keep them from causing me further trouble. Unfortunately, if such troublemaking IP addresses also happen to host relays, then I have to let them have access to the ORPort and DirPort, but I can still exclude them from everything else. Bad behavior should be expected to have consequences. Clients at non-offending IP addresses are allowed to connect without interference.
It also excludes connections from relays that come up and down frequently.
Well, laying aside the fact that we don't want them to be up and down frequently, my TorRelays table is regenerated every 15 minutes from the most recently retrieved consensus. Consensuses are rarely fetched more than once during the same hour, but even if they are and regardless of the time during the clock hour the consensus is retrieved, only a few minutes will pass before the table is produced fresh and loaded into pf. That is much faster than a new consensus is propagated to all relays or clients anyway.
You're right. I recall spending a lot of time trying to find a way toget those addresses, so that I could include them in the TorRelays table or some other arrangement to let their traffic through. Unfortunately, tor doesn't publish them anywhere that I could find nor did anything else back at the time I set these rules and tables up. However, I figured most relays probably have only a single WAN interface, so the rules would probably cause few failures.
My relays have multiple IP addresses on a single WAN interface. They all use OutboundBindAddress to separate OR and Dir traffic from outbound traffic. And they make up about 1% of Tor guard/middle bandwidth.
So, although the traffic is not separated on that machine, you use the source addresses to allow a router to separate the traffic as it leaves your network? Or is it indeed separated on that machine via routing table entries?
I think you will find this is not an uncommon configuration among high-bandwidth relays.
I will check further into the procedure for which Roger posted a URL to see whether it will indeed give me a list of such addresses that I can use. If so, I will certainly begin running it, scraping the addresses, and merging them with the addresses already going into table creation.
Some directory authorities also have multiple IP addresses.
See above.
Also, clients don't give up after something like that, but rather continue to try more circuits, so the end user may experience a short delay, but won't actually go unserved in such cases.
What actually happens depends on a number of factors:
- whether the other relay has successfully connected to your relay,
- whether both relays think the connection is canonical,
- whether either relay has a large exponential backoff on retries.
So in some cases, clients will be unable to connect to your exit via some
Although I allow exits to a small list of places, my relay does not allow general exiting in a manner that would qualify it for an Exit flag on its entry in the consensus, so in that sense, there is no exit here.
middle relays. This reduces your exit traffic, and also reduces the number of different circuit paths available to clients. (Using a wide variety of paths is one of the building blocks of Tor's anonymity.)
My daily exit traffic is ordinarily zero. Non-zero days are so rare as not to be worth calculating their frequency. I no longer remember the last time I saw one, but many versions of tor have come and gone since then.
My point is that there are a lot of moving parts here. And there could be multiple contributing factors, not just OpenSSL.
For the record, we generally suggest the following firewall configuration:
- allow incoming connections to your ORPort and DirPort from any IP
- allow all outgoing connections.
But we might have to agree to disagree here.
Exactly. I block outbound connections to known (to me) malware sites (currently just three entries), but otherwise everything outbound is basically just passed on through. Inbound connections are subject to the rules previously outlined. If I can get my hands on the extra relay addresses, that will be great. I'd love to have them included in the TorRelays table. Like I wrote before, I did try to find them long ago in order to do just that, so it will be good to have them at last.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On Fri, Jun 09, 2017 at 01:05:43AM -0500, Scott Bennett wrote:
I think you will find this is not an uncommon configuration among high-bandwidth relays.
I will check further into the procedure for which Roger posted a URLto see whether it will indeed give me a list of such addresses that I can use. If so, I will certainly begin running it, scraping the addresses, and merging them with the addresses already going into table creation.
It will not do what you want. It is only for exit addresses.
--Roger
Roger Dingledine arma@mit.edu wrote:
On Fri, Jun 09, 2017 at 01:05:43AM -0500, Scott Bennett wrote:
I think you will find this is not an uncommon configuration among high-bandwidth relays.
I will check further into the procedure for which Roger posted a URLto see whether it will indeed give me a list of such addresses that I can use. If so, I will certainly begin running it, scraping the addresses, and merging them with the addresses already going into table creation.
It will not do what you want. It is only for exit addresses.
Yes, I saw that after I took a look. However, that shouldn't really be a problem because the Exit addresses are the ones that could have gotten into the block list simply by doing their job. A non-Exit on the block list got their by its operator's own bad behavior. If someone writes to me and promises never to do it again, I'll remove his address from the block list, but on the condition the promise is kept. Likewise if someone writes to me and says his relay used to run as an Exit, but now just runs as entry/middle, I'll also remove his address, again conditionally, because his address may have gotten into the block list when it was an Exit doing its job. Again, the published address would still get a pass anytime it appears in a consensus.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On 9 Jun 2017, at 16:05, Scott Bennett bennett@sdf.org wrote:
My relays have multiple IP addresses on a single WAN interface. They all use OutboundBindAddress to separate OR and Dir traffic from outbound traffic. And they make up about 1% of Tor guard/middle bandwidth.
So, although the traffic is not separated on that machine, you use thesource addresses to allow a router to separate the traffic as it leaves your network? Or is it indeed separated on that machine via routing table entries?
The traffic goes out the same interface. I don't know or control what happens to it after that.
...
Also, clients don't give up after something like that, but rather continue to try more circuits, so the end user may experience a short delay, but won't actually go unserved in such cases.
What actually happens depends on a number of factors:
- whether the other relay has successfully connected to your relay,
- whether both relays think the connection is canonical,
- whether either relay has a large exponential backoff on retries.
* how many alternate destinations are available to clients
For example, if your relay is an introduction point for a hidden service with very few introduction points (there is a known bug that causes this), clients may not be able to reach the service, because they will give up after the first try.
So in some cases, clients will be unable to connect to your exit via some
s/exit/guard or middle/
Although I allow exits to a small list of places, my relay does notallow general exiting in a manner that would qualify it for an Exit flag on its entry in the consensus, so in that sense, there is no exit here.
middle relays.
s/middle/middle or guard/
This reduces your exit traffic,
s/exit/guard and middle/
and also reduces the number of different circuit paths available to clients. (Using a wide variety of paths is one of the building blocks of Tor's anonymity.)
My daily exit traffic is ordinarily zero. Non-zero days are so rare asnot to be worth calculating their frequency. I no longer remember the last time I saw one, but many versions of tor have come and gone since then.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
I tried disabling pf and restarting tor. To my surprise, the authorities connected to my relay successfully and distributed its information in subsequent consensuses!
Haha. This is the least surprising thing I've read all week.
tor tor@anondroid.com wrote:
I tried disabling pf and restarting tor. To my surprise, the authorities connected to my relay successfully and distributed its information in subsequent consensuses!
Haha. This is the least surprising thing I've read all week.
Then either you weren't paying attention or you don't know pf. And you have to explain why correcting the openssl library versions eliminates the problem. In short, you didn't follow the chain of evidence presented.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
tor-relays@lists.torproject.org
-
nusenu -
Roger Dingledine -
Roman Mamedov -
Scott Bennett -
teor -
tor