[tor-relays] what ip,port combinations do Tor clients need?
Martin Kepplinger
martink at posteo.de
Wed May 9 08:18:10 UTC 2018
On 2018-05-08 16:59, Jonathan Marquardt wrote:
> On Tue, May 08, 2018 at 04:45:58PM +0200, Martin Kepplinger wrote:
>> How does a usable ipset (hash:ip,port) look like, so that it is a whitelist
>> for
>> in/out tcp connections? *Everything* else from/to the outside world is
>> assumed
>> to be dropped. (DNS too).
>>
>> * dir auths from src/or/auth_dirs.inc
>> * fallback dirs from scripts/maint/fallback.whitelist
>> * current guard relays (parsed from a consensus file)
>>
>> anything else?
>
> There isn't really a standard port for the ORPort or the DirPort. All kinds of
> ports are used for this. For example, you could only allow port 443 and you
> would be good to go, just not for all relays.
>
> In theory, you could create a giant iptables ruleset for every relay out
> there, which you would have to update all the time, because it changes every
> day.
That's not really a problem with ipset. My list above results in about
2800 entries (ip,port combinations). I could easily update it hourly.
Starting tor-browser doesn't yet work though, and while I might simply
still get iptables rules wrong, I thought I'd ask if I miss addresses.
Allowing local connections is necessary for the control port, and not an
issue. It's about remote tcp connections.
> I think that it is a more sensible approach if you configure a couple of
> bridges on your clients and only allow these IP:Port combinations. This would
> be a wiser approach if you aim for a minimum of allowed connection types.
>
Possibly. I clearly want to try this approach though: not running Tor
myself, just looking at the network. Again, size doesn't matter. Do I
miss something?
thanks
martin
More information about the tor-relays
mailing list