[tor-bugs] #16065 [Tor]: manual page is not clear about ExitPolicy accept *:port, affecting IPv4 and IPv6?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 17 18:27:19 UTC 2015 

#16065: manual page is not clear about ExitPolicy accept *:port, affecting IPv4 and
IPv6?
-------------------------+---------------------
 Reporter:  cypherpunks  |          Owner:
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor          |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+---------------------
 Relay operators seem to have problems understanding the current expected
 behaviour of ExitPolicy configurations in the light of IPv6. Maybe we can
 improve the manual page to make it more clear.

 See:

 https://lists.torproject.org/pipermail/tor-relays/2015-May/006967.html
 https://lists.torproject.org/pipermail/tor-relays/2015-May/006978.html
 https://lists.torproject.org/pipermail/tor-relays/2015-May/006970.html
 https://gitweb.torproject.org/tor.git/tree/src/or/routerparse.c?id=tor-0.2.7.1-alpha#n3354

 Is
 {{{
 ExitPolicy accept *:80
 }}}
 affecting IPv6 as well? If so, state that in the documentation.
 If it does: How do I specify IPv4 policy entries that target all IPv4 IPs?
 (0.0.0.0/0?)



 (According to the current documentation I would not assume that such a
 line affects IPv6.)


 {{{
 ExitPolicy policy,policy,…

     Set an exit policy for this server. Each policy is of the form
 "accept|reject ADDR[/MASK][:PORT]". If /MASK is omitted then this policy
 just applies to the host given. Instead of giving a host or network you
 can also use "*" to denote the universe (0.0.0.0/0). PORT can be a single
 port number, an interval of ports "FROM_PORT-TO_PORT", or "*". If PORT is
 omitted, that means "*".

     For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*"
 would reject any traffic destined for MIT except for web.mit.edu, and
 accept anything else.

     To specify all internal and link-local networks (including 0.0.0.0/8,
 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
 172.16.0.0/12), you can use the "private" alias instead of an address.
 These addresses are rejected by default (at the beginning of your exit
 policy), along with your public IP address, unless you set the
 ExitPolicyRejectPrivate config option to 0. For example, once you’ve done
 that, you could allow HTTP to 127.0.0.1 and block all other connections to
 internal networks with "accept 127.0.0.1:80,reject private:*", though that
 may also allow connections to your own computer that are addressed to its
 public (external) IP address. See RFC 1918 and RFC 3330 for more details
 about internal and reserved IP address space.

     Tor also allow IPv6 exit policy entries. For instance, "reject6 /7:*"
 rejects all destinations that share 7 most significant bit prefix with
 address FC00::. Respectively, "accept6 /3:*" accepts all destinations that
 share 3 most significant bit prefix with address C000::.

     This directive can be specified multiple times so you don’t have to
 put it all on one line.

     Policies are considered first to last, and the first match wins. If
 you want to _replace_ the default exit policy, end your exit policy with
 either a reject *:* or an accept *:*. Otherwise, you’re _augmenting_
 (prepending to) the default exit policy. The default exit policy is:

     reject *:25
     accept *:*

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16065>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list