vidalia and new firewall config

Tue Aug 28 09:34:38 UTC 2007

On Sun, Aug 26, 2007 at 03:47:14PM +0100, Robert Hogan wrote:
> > First, a new page of Settings, perhaps between General and Server,
> > named "Firewall" or maybe "Network".
> >
> > 1) At the top, there's a checkbox named
> > "My firewall only lets certain ports out". When clicked, there's a
> > textbox that defaults to "80, 443". Maybe the textbox is greyed out when
> > it's not clicked, or maybe it's not there at all. When the textbox is
> > at the default, we can setconf FascistFirewall=1, otherwise we setconf
> > ReachableAddresses to *:"these ports".
> >
> 
> So is fascistfirewall no longer deprecated?

Good question. I think we decided to leave it in since it's
easier to describe in documentation. It's basically a synonym for
ReachableDirAddresses *:80, ReachableORAddresses *:443. Since this step
is automated, it may be smarter just to set each of those directly.

> <snip>
> >
> > 4) The other change is to the 'Server' window. Right now it has only one
> > main option, which is 'Relay traffic for the Tor network'. It should
> > have a second choice, right under that, which is 'Help censored users
> > reach the Tor network'.
> >
> > If either of the checkboxes is checked (you can't check both), then the
> > rest of the window shows up as it does now (but a little bit farther down
> > to accomodate that extra line). If we're choosing the 'help censored
> > users' one, then the defaults are different: the ORPort is 443, the
> > dirport is on (but still 9030), the exit policies are all 'reject',
> > and the bandwidth is on its lowest setting (which appears to be 256 Kbps).
> 
> Choosing 443 makes this hard to implement because Tor has to be started as 
> root to bind to it.  Would it be as well to suggest a popular high-numbered 
> port such as 8080? 

Good point. I guess in Windows-land it should be 443, but in Unix-land
it shouldn't be. Is 8080 popular? What are other good choices that won't
stand out too much?

Eventually I'd like to have an option like "find me a smart port that
isn't already used" and Tor will take it from there, but this involves
some delicate guesswork. And in any case the really hard part is still to
get the user to do port forwarding on his router; maybe we should learn
to play the upnp game at that point too. If anybody here has upnp clue,
please let us know. :)

> Does the bridge still need to do  PublishServerDescriptor 0?

Actually, as of 0.2.0.6-alpha, the better answer is
"PublishServerDescriptor bridge"

This will cause him to publish his descriptor, privately, just to
Tonga. Eventually we'll have a way to have Tonga export what it knows
so we can tell identity keys to people via various out of band mechanisms.

Hope that helps,
--Roger