<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 16 Dec 2015, at 04:23, Hans Wurscht <<a href="mailto:tor@x2a.ch" class="">tor@x2a.ch</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi<br class=""><br class="">I would like to operate an IPv6 only exit node. I.e. it's fine if tor relays through IPv4, but I want exiting traffic only through IPv6 (because I don't want my (only) IPv4 to be blocked, abused and such).<br class=""></div></div></blockquote><div><br class=""></div><div>You won't get the Exit flag unless you exit to at least one IPv4 /8, on at least:</div><div>* port 80 & 443, or</div><div>* port 80 & 6667, or</div><div>* port 443 & 6667.</div><div><br class=""></div><div>It's a documented issue that a relay can still get the Exit flag by exiting to an unused IPv4 /8 that's not in Tor's list of private addresses.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">The way I thought this would work is with the ExitPolicy set as below. But atlas says my IPv6 Exit Policy Summary would be "ExitPolicy reject *:*".<br class=""></div></div></blockquote><div><br class=""></div><div>I don't know if Atlas does this because your relay doesn't have the Exit flag, or because your relay's policy rejects everything, or because your relay's policy doesn't allow IPv4.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">Now I'm wondering if my ExitPolicy is wrong defined or if that's a bug of some kind.<br class=""></div></div></blockquote><div><br class=""></div><div>What is the exit policy in your relay's descriptor?</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">I'm running Tor v0.2.7.5 (git-6184c873e90d93b2) on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.</div></div></blockquote><div><br class=""></div>These rules look like they should work as you describe.</div><div>(Tor 0.2.7 was fixed to make accept6/reject6 only produce IPv6 rules.)</div><div>Let me do some testing to see if you've uncovered a bug.<br class=""><br class=""><blockquote type="cite" class=""><div class=""><div class=""># No IPv4 exit, no exit to my own subnet, no exit to private network, no exit to link local<br class=""></div></div></blockquote><div><br class=""></div><div>This is wise. Tor will block your own IPv6 address, but it doesn't know about your subnet:</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy reject6 [2A02:168:4A06::]/42:* # Block my subnet<br class=""></div></div></blockquote><div><br class=""></div><div>Tor blocks private addresses by default, so these lines are redundant, but harmless:</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy reject6 [FC00::]/7:* # Block private IPv6<br class="">ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6<br class=""></div></div></blockquote><div><br class=""></div><div>Tor doesn't block 6to4 addresses by default, so this is useful:</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses<br class=""></div></div></blockquote><div><br class=""></div><blockquote type="cite" class=""><div class=""><div class="">...</div></div></blockquote><div><br class=""></div><div>This should make sure most IPv6 ports are accepted, because it comes before the reject rules.</div><div>You could try: "ExitPolicy accept6 *6:*", but it should have exactly the same outcome.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy accept6 *:* # All else<br class=""></div></div></blockquote><div><br class=""></div><div>This actually blocks private IPv4 and IPv6, and it's redundant because Tor blocks private addresses by default:</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy reject private:* # Block private IPv4<br class=""></div></div></blockquote><div><br class=""></div><div>This actually blocks IPv4 and IPv6:</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">ExitPolicy reject *:* # Block all IPv4<br class=""><br class="">## If set, and we are an exit node, allow client to use us for IPv6 traffic<br class="">IPv6Exit 1<br class=""></div></div></blockquote><br class=""></div><div>Tim</div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Tim Wilson-Brown (teor)</div><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">teor2345 at gmail dot com<br class="">PGP 968F094B<br class=""><br class="">teor at blah dot im<br class="">OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""></body></html>