As to the blog post you mention… Your statements are very generic: now you talk about "not blocking tor", but tor is not just one webpage, one server, a monolithic entity. I would appreciate details: If your customer has "advanced security" activated, can he connect to any ORPort of any tor middle relay?
Fair enough. That post was in any case from 2014 and the questions are different today (I just used it as an example that we’re not against Tor). Honestly, I’m a little surprised that someone running a Tor exit node would not be using their own cable modem and running their own router (whether open source a la Openwrt or commercial). If someone wants to do stuff like run a Tor exit node or run a MASQUE relay or whatever, I’d recommend they turn off Advanced Security and manage their routing & firewall rules themselves.
Sorry if I am a bit repetitive, but https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-securityhttps://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$ mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
I don't know whether this customer has "Advanced security" turned on, I just assume he has. Do you want me to send you privately more details (my IP and this peer's IP)?
Sure – I am happy to look at that confidentially. But it could be a wide range of other things – even basic things like someone’s router timing out external connections after X minutes, etc.
So you remind me of an old joke: who should I believe, you, or my eyes? Sorry, I choose my eyes. I am talking here about direction from my node to Comcast. It is still possible that you don't block connections from Comcast to relays, I have contradictory evidence about this point. So if your "not blocking tor" means "not preventing our customer from connecting to some tor relays", this could be true.
Alternatively, given the large size of our network, if we were in fact blocking this, then I’d expect to see this list filled with complaints and social media sites (Twitterhttps://twitter.com/search?q=comcast%20tor&src=typed_query&f=top, Reddit, etc.) filled with complaints. But what I see now is a single report. That said, I routinely look at such reports when they seem at odds with our network policies so as to be certain there’s not some misconfiguration or bug someplace.
Jason
Hi xmrk2,
As a fellow relay operator I think it might be helpful for me to add some clarification to what you saw.
1. "comcast" the ISP didn't block or interfere with traffic to/from the relay IP. (Thanks Jason for the clarification.) However, 2. an average "comcast user" (with ISP-provided modem and the "advanced security" on by default) will by default block *incoming* connection from relay IPs. Thus, when the said user opens a port forwarding from their public IP, you can't proactively connect to that IP:port from your relay's IP. 3. "advanced security" will not block return traffic for *outgoing* connections from the user. That is, when this user connects to a relay IP (e.g., opens a tor browser), it works just fine.
The blocking is done at the modem box, and anyone expecting incoming connection from the wider internet should obviously turn off "advanced security" on their box. I can understand the motivation for the default -- when most people set up port forwarding, they probably only want incoming connections from friends or their own phone, not the entire internet.
I do not use comcast personally so this is only based on anecdotes I heard and the thread so far; please take it as a grain of salt. Hope it helps. I'm also happy to help you and your lightning node friend privately. -- Danny
On Thu, Jun 15, 2023 at 6:43 AM Livingood, Jason via tor-relays < tor-relays@lists.torproject.org> wrote:
As to the blog post you mention… Your statements are very generic: now
you talk about "not blocking tor", but tor is not just one webpage, one server, a monolithic entity. I would appreciate details: If your customer has "advanced security" activated, can he connect to any ORPort of any tor middle relay?
Fair enough. That post was in any case from 2014 and the questions are different today (I just used it as an example that we’re not against Tor). Honestly, I’m a little surprised that someone running a Tor exit node would not be using their own cable modem and running their own router (whether open source a la Openwrt or commercial). If someone wants to do stuff like run a Tor exit node or run a MASQUE relay or whatever, I’d recommend they turn off Advanced Security and manage their routing & firewall rules themselves.
Sorry if I am a bit repetitive, but
https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$ mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
I don't know whether this customer has "Advanced security" turned on, I
just assume he has. Do you want me to send you privately more details (my IP and this peer's IP)?
Sure – I am happy to look at that confidentially. But it could be a wide range of other things – even basic things like someone’s router timing out external connections after X minutes, etc.
So you remind me of an old joke: who should I believe, you, or my eyes?
Sorry, I choose my eyes. I am talking here about direction from my node to Comcast. It is still possible that you don't block connections from Comcast to relays, I have contradictory evidence about this point. So if your "not blocking tor" means "not preventing our customer from connecting to some tor relays", this could be true.
Alternatively, given the large size of our network, if we were in fact blocking this, then I’d expect to see this list filled with complaints and social media sites (Twitter https://twitter.com/search?q=comcast%20tor&src=typed_query&f=top, Reddit, etc.) filled with complaints. But what I see now is a single report. That said, I routinely look at such reports when they seem at odds with our network policies so as to be certain there’s not some misconfiguration or bug someplace.
Jason _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Yes, I agree 100% with Danny's summary here, so I have to concede, I did not found enough evidence that Comcast blocks connections *to* tor relays. I apologize. Specifically, I did some tests with ronqtorrelays at risley.net , who is a Comcast Business customer, and he had no problem initiating TCP connection to my relay, even to tor-unrelated port.
About the other direction - from tor relays or exits to Comcast:
https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
[https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security... "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
[https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security... "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
[https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security... "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
[https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security... "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
Seems you do not understand the difference between exit relay and non-exit relay. (Nor does the persons who implemented this blocking of traffic from tor relays - this would explain a lot.)
I would first reformulate: unknown and anonymous users may route their traffic through tor, including some attacks (DDoS or worse), and this traffic will look like originating from tor *exit* relay. But this is only true about *exit* relays (and then only about some ports, but let's keep it simple). Non-exit relays only send tor-related traffic to other tor relays, never to other destinations. So when a non-exit relay R connects to a computer X, which does not run anything tor-related, you can be sure this connection is not tor-related and is really initiated by R. If we had a tor exit relay E, then connection E->X could be initiated by E or by a bad guy B who is abusing tor's anonymity. And X cannot tell the difference, so it is reasonable to assume the worst and block this. The traffic from B would really follow the path B->R1->R2->E->X, where R1 are R2 non-exit relays. You may argue that this bad traffic goes through R1 and R2, but so what? Blocking E->X is sufficient, but you are also blocking R1->X and R2->X.
Here is a basic explanation of relay types by the Tor project itself: https://community.torproject.org/relay/types-of-relays/ .
Q to community: Is there some better official document explaining difference between exit and non-exit relay? It could be more trustworthy than my explanation (and better written). Most of what I found is about tor exits, like https://community.torproject.org/relay/community-resources/tor-abuse-templat... .
I can see how a random website does not bother to understand this - see reports in this thread about a bank blocking tor relays. But ISP's core competency should be networks, so I would expect an ISP to understand the real dangers and apply more nuance than "let's block everything tor-related".
tor-relays@lists.torproject.org
-
Livingood, Jason -
Xiaoqi Chen (Danny) -
xmrk2