[tor-dev] making sure I configure OutboundBindAddressExit correctly

teor teor2345 at gmail.com
Fri May 5 01:42:19 UTC 2017

> On 5 May 2017, at 06:03, nusenu <nusenu-lists at riseup.net> wrote:
> Hi,
> since I really like this new feature
> I added [1] initial autoconfiguration support for it to ansible-relayor
> (user can opt-in via a single boolean and we automate the rest).
> I want to make sure I do this correctly and would like your feedback on
> the following questions:

You should probably specify OutboundBindAddressOR [IPv6] as well.

Several upcoming IPv6 features require relays to make outgoing IPv6
OR connections:
* Missing IPv6 ORPort reachability check
* Enable relays to talk to other relays via IPv6

And maybe:
* Change clients to automatically use IPv6 if they can bootstrap over it

If you don't specify OutboundBindAddressOR [IPv6], any IPv6 connections
a relay makes will go via the OS routing table, which may use the same
address as OutboundBindAddressExit.

> a)
> Is 'OutboundBindAddressOR' in the following context optional (in the
> sense that it does not change tor's behavior)?
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> ORPort
> OutboundBindAddress
> OutboundBindAddressOR
> OutboundBindAddressExit
> is identical to:
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> ORPort
> OutboundBindAddress
> OutboundBindAddressExit
> (since according to the manual page OutboundBindAddress*OR* would just
> override OutboundBindAddress, which is not needed in the above example
> since they match)

Yes, they are identical in current tor versions.

There is currently no OutboundBindAddressDNS, but there might be in

So please use OutboundBindAddress if you mean "all non-exit connections",
and OutboundBindAddressOR if you mean
"remote ORPort and DirPort connections".

Also, the documentation is unclear, and we need to fix it:

> b)
> Is it ok to set OutboundBindAddressExit for IPv4 only, even if we set
> 'IPv6Exit 1' or is setting an IPv6 OutboundBindAddressExit address
> required after setting OutboundBindAddressExit for IPv4?
> Since this question might be a bit confusing I'll give an example in
> form of torrc lines:
> ORPort
> OutboundBindAddress
> OutboundBindAddressExit
> IPv6Exit 1
> ExitRelay 1
> ExitPolicy reject *:25,accept *:*
> (this config has an IPv4 OutboundBindAddressExit entry but no IPv6
> OutboundBindAddressExit entry)

This means that IPv6 Exit connections will use the OS routing table.

> c)
> Similar to (b) is it ok to enable OutboundBindAddressExit for IPv6 only?

This means that IPv4 Exit connections will use the OS routing table.

> d)
> Is it ok if multiple tor instances on the same host use the same
> OutboundBindAddressExit address?
> (ignoring the fact that big exits might run out of source ports?)

Yes, tor does not use any specific source ports for outgoing

> ...
> [1]
> https://github.com/nusenu/ansible-relayor/commit/00fa7c571e8b6f6256092d992831598ad73201db

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170505/4d609e9f/attachment.sig>

More information about the tor-dev mailing list