On 3/3/11 12:13 PM, Moritz Bartl wrote:
Hi
On 03.03.2011 11:43, mick wrote:
OK, so that idea may not be a runner - but surely the whole purpose of the exit policy system is to allow us to run exit nodes which /do/ limit activity to that which we deem acceptable (or legal).
Exactly. The *exit policy* is there to limit exit activity. Not iptables or "IDS" afterwards.
I know and fully understand your point, it's a controversial issue the filtering or not at exit node level.
The TOR ExitPolicy provide a too reduced degree of flexibility to properly fine tune the risks/exit policy decision of a person just basing on IP/port and with a limitation on how many IP/port can be allowed/filtered.
Still i would like to point out a *practical* feeling that i got from a lot of person i tried to say "hey, run an exit node!".
Some person tried to run an exit node, then they got their internet connection disconnected due to high number of claim. Such person think that if they would be able to remove the claims that cause their internet connection being cutted off, they would be happy to run a server.
Some other person just does not run TOR exit node due to the perceived and concrete risks that their node will be used to start cyber-attacks and that they will have trouble because of this. That person would be happy to support Freedom of Speech and fight for anti-censorship in support to people living in non-free world. At the same time they don't want to get involved in cyber attacks.
Some other person, like me, live in country where the justice and judicial system is in a drammatic situation. In italy if you have legal problem you will take between 5 up to 10 years to solve the issue. In such condition I DO NOT WANT any traffic to go to italian networks, because a stupid and dumb prosecutor would probably raise my home at morning and i will have to manage 5-10 years of legal handling. Unfortunately there's no way to create an exit policy that's able to load the blocking destinated to a specific country (Tor just crash and there's an issue about it due to the high number of ExitPolicy statements).
I think that all those issues are absolutely reasonable and understandable and, if properly managed without a technology-taliban approach, would allow a lot of more person to run exit node.
So still my goal is to test, implement, document and create howto to:
- Block P2P to avoid P2P related claims - Block Portscan to avoid portscan related claims - Block web attacks to avoid web attacks related claims - Block traffic going to the country where i live to avoid stupid prosecutor causing me 5-10 years of legal trouble
Yes, i understand that this is outside the concept of *perfect freedom* related to TOR, but still it would be an answer to the many persons that would be happy to run an Exit Node to support freedom of speech limiting their risks, personal feeling and effort for maintance and running a TOR node.
If that's something not acceptable for the community i accept to be marked as a untrusted node, or rough node or whatever.
Still i think that this approach is reasonable and can create value for the TOR project grow.
-naif http://infosecurity.ch