[tor-bugs] #18456 [Core Tor/Tor]: Exits on 0.2.7 publicise all their IP addresses in their descriptor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 1 05:48:21 UTC 2016
#18456: Exits on 0.2.7 publicise all their IP addresses in their descriptor
--------------------------+------------------------------------
Reporter: teor | Owner:
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: 0.2.7.2-alpha
Severity: Normal | Resolution:
Keywords: | Actual Points: 0.2
Parent ID: | Points: 3
Reviewer: | Sponsor:
--------------------------+------------------------------------
Changes (by teor):
* status: new => needs_review
* actualpoints: => 0.2
Comment:
Please see my branch bug18456 on https://github.com/teor2345/tor.git
The corresponding torspec patch is in #19453.
I fixed this issue by making ExitPolicyRejectPrivate only reject IP
addresses we are going to put in the descriptor anyway (that is, the
relay's advertised IPv4 and IPv6 address).
Then, I added another option ExitPolicyRejectLocalInterfaces that also
blocks the IPv4 and IPv6 OutboundBindAddresses, and the configured port
addresses, and any interface addresses. (If a specific bind address is
configured for the ORPort and DirPort, it is included by both options.
This is ok, and necessary because of public-to-public address redirection.
Also, any duplicate rules are removed.)
I didn't modify the sample torrcs, but I can do that if we think it's a
good idea.
I made this patch on master because we've made multiple changes to this
code since 0.2.7.2-alpha. And it's not really a security issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18456#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list