Questions about exit enclaves
Hello list, I hope this is the correct list to send these questions, if not I apologize and please tell me where I should send this message. I want to setup a Tor node to run as a exit enclave for a web site (WordPress) and message board (vBulletin). However, I have found little documentation on how to accomplish this on a remote server, e.g. https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave . Is there a more throughout document/manual for exit enclaves? Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address (https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc? I believe someone who sends messages to tor-talk maintains a hardened (OS(?) and) Tor, meant to be run as a node only, from remote server space. Does anyone have a link for that software? I looked at the Tor web site but I didn't find information. I am thinking about using that software as the exit enclave. Lastly, is it possible (and smart - re anonymity and resources) to use the exit enclave to offer hidden service address? Thanks!
you can set your exit policy to a whitelist on ip/port basis, but iirc not on a dns-name/port basis (which means you should enumerate all the IPs belonging to a load-balanced website if you want to allow exit access to it). cheers -k On 03/30/2012 04:18 PM, Jef Heri wrote:
Hello list,
I hope this is the correct list to send these questions, if not I apologize and please tell me where I should send this message.
I want to setup a Tor node to run as a exit enclave for a web site (WordPress) and message board (vBulletin). However, I have found little documentation on how to accomplish this on a remote server, e.g. https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave . Is there a more throughout document/manual for exit enclaves?
Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address (https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc?
I believe someone who sends messages to tor-talk maintains a hardened (OS(?) and) Tor, meant to be run as a node only, from remote server space. Does anyone have a link for that software? I looked at the Tor web site but I didn't find information. I am thinking about using that software as the exit enclave.
Lastly, is it possible (and smart - re anonymity and resources) to use the exit enclave to offer hidden service address?
Thanks!
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hello krugar, --- On Fri, 3/30/12, krugar <tor-admin@krugar.de> wrote:
On 03/30/2012 04:18 PM, Jef Heri wrote:
Hello list,
[snip]
Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address (https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc?
[snip]
Thanks!
you can set your exit policy to a whitelist on ip/port basis, but iirc not on a dns-name/port basis (which means you should enumerate all the IPs belonging to a load-balanced website if you want to allow exit access to it).
cheers -k
Thank you for the information. I'm debating whether I should allow exits from my exit enclave to 'safe' sites, to help the Tor network, or simply run a full-tilt exit node, and bridge nodes, from elsewhere to help the Tor network. I think the latter... Cheers.
you can set your exit policy to a whitelist on ip/port basis, but iirc not on a dns-name/port basis (which means you should enumerate all the IPs belonging to a load-balanced website if you want to allow exit access to it).
Keep in mind that exit enclaves only work on the one IP your relay uses for its ORPort.
Hello krugar and Bryon,
On Fri, Mar 30 12:24:48, krugar <tor-admin at krugar.de > wrote:
you can set your exit policy to a whitelist on ip/port basis, but iirc not on a dns-name/port basis (which means you should enumerate all the IPs belonging to a load-balanced website if you want to allow exit access to it).
On Fri, Mar 30 23:39:15, Bryon Eldridge <barkerjr@barkerjr.net> wrote:
Keep in mind that exit enclaves only work on the one IP your relay uses for its ORPort.
Thank you both.
It's my understanding that if you put the following Exit Policy in your torrc: ExitPolicyRejectPrivate 0 ExitPolicy accept 97.107.139.108 ExitPolicy reject *:* Where 97.107.139.108 is your IP address (that one's mine), you will Exit Enclave to your site, not allow any other exit traffic, you will be a normal tor relay (meaning you should check your bandwidth limits/accounting), and you will become the preferred path for Tor traffic to your site. Hidden Services are different from Exit Enclaving. I would be surprised if there was any danger to be added by running a Hidden Service on an Exit Enclave, and if so, that should be documented better. If anything I said is incorrect, I hope that someone will correct me in detail, and review the changes I'd like to make to the documentation - because if I misunderstood, I think the Docs need clarifying. -tom On 30 March 2012 10:18, Jef Heri <jefheri1@yahoo.com> wrote:
Hello list,
I hope this is the correct list to send these questions, if not I apologize and please tell me where I should send this message.
I want to setup a Tor node to run as a exit enclave for a web site (WordPress) and message board (vBulletin). However, I have found little documentation on how to accomplish this on a remote server, e.g. https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave . Is there a more throughout document/manual for exit enclaves?
Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address (https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc?
I believe someone who sends messages to tor-talk maintains a hardened (OS(?) and) Tor, meant to be run as a node only, from remote server space. Does anyone have a link for that software? I looked at the Tor web site but I didn't find information. I am thinking about using that software as the exit enclave.
Lastly, is it possible (and smart - re anonymity and resources) to use the exit enclave to offer hidden service address?
Thanks!
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Wouldn't it be safer to accept connections only on port 80? Else he would be exposing the whole machine. On Mar 30, 2012 5:43 PM, "Tom Ritter" <tom@ritter.vg> wrote:
It's my understanding that if you put the following Exit Policy in your torrc:
ExitPolicyRejectPrivate 0 ExitPolicy accept 97.107.139.108 ExitPolicy reject *:*
Where 97.107.139.108 is your IP address (that one's mine), you will Exit Enclave to your site, not allow any other exit traffic, you will be a normal tor relay (meaning you should check your bandwidth limits/accounting), and you will become the preferred path for Tor traffic to your site.
Hidden Services are different from Exit Enclaving. I would be surprised if there was any danger to be added by running a Hidden Service on an Exit Enclave, and if so, that should be documented better.
If anything I said is incorrect, I hope that someone will correct me in detail, and review the changes I'd like to make to the documentation - because if I misunderstood, I think the Docs need clarifying.
-tom
On 30 March 2012 10:18, Jef Heri <jefheri1@yahoo.com> wrote:
Hello list,
I hope this is the correct list to send these questions, if not I apologize and please tell me where I should send this message.
I want to setup a Tor node to run as a exit enclave for a web site (WordPress) and message board (vBulletin). However, I have found little documentation on how to accomplish this on a remote server, e.g. https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave . Is there a more throughout document/manual for exit enclaves?
Is it correct that a exit enclave will act as a 'normal' exit node, as well as the exit enclave for its IP address ( https://trac.torproject.org/projects/tor/ticket/800)? If so, is it possible to block exit to any IP other than the node's own IP via torrc file? If not, maybe I could only allow exists to white-list IPs, such as Tor Project web site IP, EFF IP, and etc?
I believe someone who sends messages to tor-talk maintains a hardened (OS(?) and) Tor, meant to be run as a node only, from remote server space. Does anyone have a link for that software? I looked at the Tor web site but I didn't find information. I am thinking about using that software as the exit enclave.
Lastly, is it possible (and smart - re anonymity and resources) to use the exit enclave to offer hidden service address?
Thanks!
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 30 March 2012 10:50, Konstantinos Asimakis <inshame@gmail.com> wrote:
Wouldn't it be safer to accept connections only on port 80? Else he would be exposing the whole machine.
Hm. I don't know. If you have a local firewall that blocks access to say, samba, from external addresses, but allows it locally - would tor allow you to access the port, because it appears that the connection from coming locally? If you're already exposing port 22 on the internet, I would argue allowing it through tor exit enclaving isn't increasing your risk any. But if tor lets you bypass the firewall - then there's a concern. -tom
I bet it will bypass the firewall but until someone else answers play it safe and allow only the ports you need. ;-) On Mar 30, 2012 5:58 PM, "Tom Ritter" <tom@ritter.vg> wrote:
On 30 March 2012 10:50, Konstantinos Asimakis <inshame@gmail.com> wrote:
Wouldn't it be safer to accept connections only on port 80? Else he would be exposing the whole machine.
Hm. I don't know. If you have a local firewall that blocks access to say, samba, from external addresses, but allows it locally - would tor allow you to access the port, because it appears that the connection from coming locally?
If you're already exposing port 22 on the internet, I would argue allowing it through tor exit enclaving isn't increasing your risk any. But if tor lets you bypass the firewall - then there's a concern.
-tom _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (5)
-
Bryon Eldridge -
Jef Heri -
Konstantinos Asimakis -
krugar -
Tom Ritter