Am 07.02.2016 um 21:47 schrieb Toralf Förster:
On 02/07/2016 09:17 PM, Roland 'ValiDOM' Jungnickel wrote:
So to say... these rules work. But most probably somebody with more iptables experience might adjust them to be even more effective AND less "problematic".
Again - it is problematic in Germany *and* you foolish the Tor directory authorities. Don't run an exit if you can't run an exit.
Thanks Toralf for your reply.
Regarding §8 TMG in Germany - yes, there is a risk. Honestly, I fight for this rule to apply for free Wifi-Providers (also for people just running one access point) and TOR-exitnodes. There is a current court case about free Wifi at the European Court of Justice (ECJ) I initiated, do fund-raising, public relations for and so on (C-484/14). An Advocate General will publish his opinion on the case this April.
In other words... §8 TMG and its limits are well-known to me. So why did I still apply the firewall rule the the exit? If you read the IPtables rules I adopted carefully, you see that I do not select source or target. I limit new connections based on a time-value. In my humble opinion this is like to use a small uplink; but not violating §8 TMG.
And - what would be the alternative? Find an ISP which do accept (or just not recognise) massive Netscans? Might be an option. But as of my current and past understanding, netscan is not "normal" network usage. It is abuse. As long as the Tor deamon does not offer a functionality to avoid such abuse, the only way to deal with it is a firewall rule. This should answer your second objection about to foolish the Tor directory. I just do not care if netscans over tor do not work properly ;)
Vali