On Wed, Dec 17, 2025 at 09:41:33PM +0100, Marco Moock via tor-relays wrote:
I noticed that the implicit exit policy includes IPv4 localhost, RFC1918 IPv4 ranges etc, but does not include IPv6 by default, e.g. ::1, fe80::/10, fec0::/10 and not the public IPv6 itself. Is that a bug or a configuration issue?
Hm! I think it is a bug. Our ipv6 integration is still not as comprehensive as it should be. We prepend those reject lines to the default exit policy to avoid security surprises when people run their relay in a position where localhost or 192.168/16 etc are trusted. For examples: * There was a time when the default apache config allowed localhost to read /server/status * It turns out for many operating systems, connecting to 0.0.0.0 means connecting to localhost * 192.168/16 too often gets access to your local wifi router * If you run your exit relay on your DMZ and it has access to your otherwise-firewalled corporate network on 10/8, now the relay lets traffic pass between them Those types of reasons probably apply to ipv6 as well, right? Can somebody with a good ipv6 understanding open a gitlab ticket with the address blocks that will introduce these surprises for ipv6 operators? Thanks, --Roger