<div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);">Yes, I agree 100% with Danny's summary here, so I have to concede, I did not found enough evidence that Comcast blocks connections *to* tor relays. I apologize. Specifically, I did some tests with <span>ronqtorrelays at <a target="_blank" rel="noreferrer nofollow noopener" href="http://risley.net">risley.net</a> , who is a Comcast Business customer, and he had no problem initiating TCP connection to my relay, even to tor-unrelated port. </span></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);"><br></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);">About the other direction - from tor relays or exits to Comcast:</div><blockquote style="border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 10px; color: rgb(102, 102, 102);"><div><span><a target="_blank" rel="noreferrer nofollow noopener" href="https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security">https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security</a> mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?</span></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);"><div style="height:1px;overflow:hidden;top:0px;user-select:text;background-color:white;color:black"><div><div><div lang="EN-US"><p style="margin:0px"><span style="font-size:12pt;font-family:Arial, sans-serif"><a target="_blank" href="https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$" rel="noreferrer nofollow noopener" style="color:blue">https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security</a><span> </span>mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?</span></p></div></div></div></div></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);"><div style="height:1px;overflow:hidden;top:0px;user-select:text;background-color:white;color:black"><div><div><div lang="EN-US"><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt"><br></span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt">It may be down to the fact that “unknown†users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.</span></p></div><br style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255)"></div><span></span></div></div><div style="height:1px;overflow:hidden;top:0px;user-select:text;background-color:white;color:black"><div><div><div lang="EN-US"><p style="margin:0px"><span style="font-size:12pt;font-family:Arial, sans-serif"><a target="_blank" href="https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$" rel="noreferrer nofollow noopener" style="color:blue">https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security</a><span> </span>mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?</span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt"><br></span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt">It may be down to the fact that “unknown†users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.</span></p></div><br style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255)"></div><span></span></div></div><div style="height:1px;overflow:hidden;top:0px;user-select:text;background-color:white;color:black"><div><div><div lang="EN-US"><p style="margin:0px"><span style="font-size:12pt;font-family:Arial, sans-serif"><a target="_blank" href="https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$" rel="noreferrer nofollow noopener" style="color:blue">https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security</a><span> </span>mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?</span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt"><br></span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt">It may be down to the fact that “unknown†users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.</span></p></div><br style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255)"></div><span></span></div></div><div style="height:1px;overflow:hidden;top:0px;user-select:text;background-color:white;color:black"><div><div><div lang="EN-US"><p style="margin:0px"><span style="font-size:12pt;font-family:Arial, sans-serif"><a target="_blank" href="https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$" rel="noreferrer nofollow noopener" style="color:blue">https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security</a><span> </span>mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?</span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt"><br></span></p><p style="margin:0px"><span style="font-family:Arial, sans-serif;font-size:12pt">It may be down to the fact that “unknown†users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.</span></p></div><br style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255)"></div><span></span></div></div></div><span>It may be down to the fact that “unknown†users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.</span><br></blockquote><span></span><div style=""><span style="display: inline !important;"><br></span></div><div style=""><span style="display: inline !important;">Seems you do not understand the difference between exit relay and non-exit relay. (Nor does the persons who implemented this blocking of traffic from tor relays - this would explain a lot.) </span></div><div style=""><span style="display: inline !important;"><br></span></div><div style=""><span style="font-size: 0.875rem;">I would first reformulate: unknown and anonymous users may route their traffic through tor, including some attacks (DDoS or worse), and this traffic will look like originating from tor *exit* relay. But this is only true about *exit* relays (and then only about some ports, but let's keep it simple). Non-exit relays only send tor-related traffic to other tor relays, never to other destinations. So when a non-exit relay R connects to a computer X, which does not run anything tor-related, you can be sure this connection is not tor-related and is really initiated by R. If we had a tor exit relay E, then connection E->X could be initiated by E or by a bad guy B who is abusing tor's anonymity. And X cannot tell the difference, so it is reasonable to assume the worst and block this. The traffic from B would really follow the path B->R1->R2->E->X, where R1 are R2 non-exit relays. You may argue that this bad traffic goes through R1 and R2, but so what? Blocking E->X is sufficient, but you are also blocking R1->X and R2->X.</span></div><div style=""><span style="font-size: 0.875rem;"><br></span></div><div style=""><span style="display: inline !important;">Here is a basic explanation of relay types by the Tor project itself: <span><a target="_blank" rel="noreferrer nofollow noopener" href="https://community.torproject.org/relay/types-of-relays/">https://community.torproject.org/relay/types-of-relays/</a> . </span></span></div><div style=""><span style="display: inline !important;"><span><br></span></span></div><div style=""><span style="display: inline !important;"><span>Q to community: Is there some better official document explaining difference between exit and non-exit relay? It could be more trustworthy than my explanation (and better written). Most of what I found is about tor exits, like <span><a target="_blank" rel="noreferrer nofollow noopener" href="https://community.torproject.org/relay/community-resources/tor-abuse-templates/">https://community.torproject.org/relay/community-resources/tor-abuse-templates/</a> .</span></span></span></div><div style=""><span style="display: inline !important;"><br></span></div><div style=""><span style="display: inline !important;">I can see how a random website does not bother to understand this - see reports in this thread about a bank blocking tor relays. But ISP's core competency should be networks, so I would expect an ISP to understand the real dangers and apply more nuance than "let's block everything tor-related".</span></div><div style=""><span style="display: inline !important;"><br></span></div><div style=""><span style="display: inline !important;"><br></span></div>