[tor-dev] making sure I configure OutboundBindAddressExit correctly

teor teor2345 at gmail.com
Fri May 5 01:42:19 UTC 2017 

> On 5 May 2017, at 06:03, nusenu <nusenu-lists at riseup.net> wrote:
> 
> Hi,
> 
> since I really like this new feature
> I added [1] initial autoconfiguration support for it to ansible-relayor
> (user can opt-in via a single boolean and we automate the rest).
> 
> I want to make sure I do this correctly and would like your feedback on
> the following questions:

You should probably specify OutboundBindAddressOR [IPv6] as well.

Several upcoming IPv6 features require relays to make outgoing IPv6
OR connections:
* Missing IPv6 ORPort reachability check
  https://trac.torproject.org/projects/tor/ticket/6939
* Enable relays to talk to other relays via IPv6
  https://trac.torproject.org/projects/tor/ticket/4565

And maybe:
* Change clients to automatically use IPv6 if they can bootstrap over it
  https://trac.torproject.org/projects/tor/ticket/17217

If you don't specify OutboundBindAddressOR [IPv6], any IPv6 connections
a relay makes will go via the OS routing table, which may use the same
address as OutboundBindAddressExit.

> a)
> Is 'OutboundBindAddressOR' in the following context optional (in the
> sense that it does not change tor's behavior)?
> 
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> ORPort 1.2.3.4:9001
> OutboundBindAddress 1.2.3.4
> OutboundBindAddressOR 1.2.3.4
> OutboundBindAddressExit 7.7.7.7
> 
> is identical to:
> 
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> ORPort 1.2.3.4:9001
> OutboundBindAddress 1.2.3.4
> OutboundBindAddressExit 7.7.7.7
> 
> (since according to the manual page OutboundBindAddress*OR* would just
> override OutboundBindAddress, which is not needed in the above example
> since they match)

Yes, they are identical in current tor versions.

There is currently no OutboundBindAddressDNS, but there might be in
future.

So please use OutboundBindAddress if you mean "all non-exit connections",
and OutboundBindAddressOR if you mean
"remote ORPort and DirPort connections".

Also, the documentation is unclear, and we need to fix it:
https://trac.torproject.org/projects/tor/ticket/22145

> b)
> Is it ok to set OutboundBindAddressExit for IPv4 only, even if we set
> 'IPv6Exit 1' or is setting an IPv6 OutboundBindAddressExit address
> required after setting OutboundBindAddressExit for IPv4?
> 
> Since this question might be a bit confusing I'll give an example in
> form of torrc lines:
> 
> 
> ORPort 1.2.3.4:9001
> OutboundBindAddress 1.2.3.4
> OutboundBindAddressExit 7.7.7.7
> IPv6Exit 1
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> 
> (this config has an IPv4 OutboundBindAddressExit entry but no IPv6
> OutboundBindAddressExit entry)

This means that IPv6 Exit connections will use the OS routing table.

> c)
> Similar to (b) is it ok to enable OutboundBindAddressExit for IPv6 only?

This means that IPv4 Exit connections will use the OS routing table.

> d)
> Is it ok if multiple tor instances on the same host use the same
> OutboundBindAddressExit address?
> (ignoring the fact that big exits might run out of source ports?)

Yes, tor does not use any specific source ports for outgoing
connections.

> ...
> [1]
> https://github.com/nusenu/ansible-relayor/commit/00fa7c571e8b6f6256092d992831598ad73201db

T
--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170505/4d609e9f/attachment.sig>

More information about the tor-dev mailing list