Hi,
since I really like this new feature I added [1] initial autoconfiguration support for it to ansible-relayor (user can opt-in via a single boolean and we automate the rest).
I want to make sure I do this correctly and would like your feedback on the following questions:
a) Is 'OutboundBindAddressOR' in the following context optional (in the sense that it does not change tor's behavior)?
ExitRelay 1 ExitPolicy reject *:25,accept *:* ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressOR 1.2.3.4 OutboundBindAddressExit 7.7.7.7
is identical to:
ExitRelay 1 ExitPolicy reject *:25,accept *:* ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressExit 7.7.7.7
(since according to the manual page OutboundBindAddress*OR* would just override OutboundBindAddress, which is not needed in the above example since they match)
b) Is it ok to set OutboundBindAddressExit for IPv4 only, even if we set 'IPv6Exit 1' or is setting an IPv6 OutboundBindAddressExit address required after setting OutboundBindAddressExit for IPv4?
Since this question might be a bit confusing I'll give an example in form of torrc lines:
ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressExit 7.7.7.7 IPv6Exit 1 ExitRelay 1 ExitPolicy reject *:25,accept *:*
(this config has an IPv4 OutboundBindAddressExit entry but no IPv6 OutboundBindAddressExit entry)
c) Similar to (b) is it ok to enable OutboundBindAddressExit for IPv6 only?
d) Is it ok if multiple tor instances on the same host use the same OutboundBindAddressExit address? (ignoring the fact that big exits might run out of source ports?)
thanks, nusenu
[1] https://github.com/nusenu/ansible-relayor/commit/00fa7c571e8b6f6256092d99283...
On 5 May 2017, at 06:03, nusenu nusenu-lists@riseup.net wrote:
Hi,
since I really like this new feature I added [1] initial autoconfiguration support for it to ansible-relayor (user can opt-in via a single boolean and we automate the rest).
I want to make sure I do this correctly and would like your feedback on the following questions:
You should probably specify OutboundBindAddressOR [IPv6] as well.
Several upcoming IPv6 features require relays to make outgoing IPv6 OR connections: * Missing IPv6 ORPort reachability check https://trac.torproject.org/projects/tor/ticket/6939 * Enable relays to talk to other relays via IPv6 https://trac.torproject.org/projects/tor/ticket/4565
And maybe: * Change clients to automatically use IPv6 if they can bootstrap over it https://trac.torproject.org/projects/tor/ticket/17217
If you don't specify OutboundBindAddressOR [IPv6], any IPv6 connections a relay makes will go via the OS routing table, which may use the same address as OutboundBindAddressExit.
a) Is 'OutboundBindAddressOR' in the following context optional (in the sense that it does not change tor's behavior)?
ExitRelay 1 ExitPolicy reject *:25,accept *:* ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressOR 1.2.3.4 OutboundBindAddressExit 7.7.7.7
is identical to:
ExitRelay 1 ExitPolicy reject *:25,accept *:* ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressExit 7.7.7.7
(since according to the manual page OutboundBindAddress*OR* would just override OutboundBindAddress, which is not needed in the above example since they match)
Yes, they are identical in current tor versions.
There is currently no OutboundBindAddressDNS, but there might be in future.
So please use OutboundBindAddress if you mean "all non-exit connections", and OutboundBindAddressOR if you mean "remote ORPort and DirPort connections".
Also, the documentation is unclear, and we need to fix it: https://trac.torproject.org/projects/tor/ticket/22145
b) Is it ok to set OutboundBindAddressExit for IPv4 only, even if we set 'IPv6Exit 1' or is setting an IPv6 OutboundBindAddressExit address required after setting OutboundBindAddressExit for IPv4?
Since this question might be a bit confusing I'll give an example in form of torrc lines:
ORPort 1.2.3.4:9001 OutboundBindAddress 1.2.3.4 OutboundBindAddressExit 7.7.7.7 IPv6Exit 1 ExitRelay 1 ExitPolicy reject *:25,accept *:*
(this config has an IPv4 OutboundBindAddressExit entry but no IPv6 OutboundBindAddressExit entry)
This means that IPv6 Exit connections will use the OS routing table.
c) Similar to (b) is it ok to enable OutboundBindAddressExit for IPv6 only?
This means that IPv4 Exit connections will use the OS routing table.
d) Is it ok if multiple tor instances on the same host use the same OutboundBindAddressExit address? (ignoring the fact that big exits might run out of source ports?)
Yes, tor does not use any specific source ports for outgoing connections.
... [1] https://github.com/nusenu/ansible-relayor/commit/00fa7c571e8b6f6256092d99283...
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Hello teor,
teor:
If you don't specify OutboundBindAddressOR [IPv6], any IPv6 connections a relay makes will go via the OS routing table, which may use the same address as OutboundBindAddressExit.
Thank you for this input, I added an OutboundBindAddress line (without "OR") for IPv6 as well (IPv6 ORPort line is already in place).
https://github.com/nusenu/ansible-relayor/commit/d708e9c85963455de1975a0af4e...
Also, the documentation is unclear, and we need to fix it: https://trac.torproject.org/projects/tor/ticket/22145
That was me filing that ticket.
thanks, nusenu