What should the default exit policy be?
arma at mit.edu
Wed Dec 10 09:32:38 UTC 2003
Here is a possible default exit policy. Individual nodes would be free to
have a more restrictive or less restrictive policy. Rules are in order,
first rule to match wins.
reject subnets 127/8, 192.168/16, 10/8, 172.16/12
accept ports 80(http), 443(https), 22(ssh), 20,21(ftp), 53(named),
79(finger), 143(imap), 110(pop), 873(rsync)
accept ports 1024-*
a) Notice that we're rejecting everything else by default. Should
the default be to accept all, and we just pick out the ports/subnets
we're scared of (ports 139, 25, what else)? That opens us up even
more to portscanning, etc of course. In part this is to ensure we
don't run into too much trouble initially as we start to grow. But
we should also consider whether it will be possible to tighten exit
policies down the road, or only loosen them.
b) Speaking of which, I've left smtp off the list of approved ports. While
it would be nice to have it, I don't know of anybody using it, and
"by default you can't use the Tor network to deliver spam" seems like
a nice phrase to be able to say to people.
c) What about spop / simap? What other privileged ports are missing that
we should accept?
More information about the tor-dev