Hi,
On 03.03.2011 07:32, Fabio Pietrosanti (naif) wrote:
i am trying to create a low-responsibility TOR exit node that would allow the node to run without too much issue for the maintainer (few claim from operators).
Sounds interesting.
P2P is out (OpenIPS), traffic to my originating country is out (iptables), i am testing removal of web attacks (trough snort inline) but i am not able to remove outgoing portscan that are now generating at least 1-2 claim per week.
You know that your exit will be chosen based on your ExitPolicy, and not anything you do with iptables? I encourage you to play with different exit policies, but ANYTHING you do after already receiving the packets will hurt the network and should be badexited.
- long-lived tor exit node
What properties does a "long-lived tor exit node" have, other than being up for a long time?
- low-maintenance tor exit node
Run stable Tor. Use a limited Exit Policy. Hire an admin. Donate to Torservers.
- a tor exit node that cannot be used for P2P, Web attacks and Portscan
Tor exit nodes (and the Tor network as a whole) should be seen as an ISP. I would not want my ISP to filter or block anything, especially when I have NO CHANCE but to manually build a new circuit and retry. Like Mike Perry said, it will only make those laugh that run portscans or "web attacks" over Tor.
How do you plan on filtering "web attacks"?
Let me give you an example: We run the "limited exit policy" on a number of exits [1]. Most of the complaints we are getting for our exits are stupid web spams (forum posts etc) and mail spam sent through webmailers. How are you going to stop them?
Suggestion:
ExitPolicy reject *:80
- a tor exit node that generate very few claims (that means more
resiliency against carrier/hosting disconnecting hte server)
See above.
:-(
[1] https://www.torservers.net/services.html#servers