[tor-relays] Filtering at Exit Node [was: Network Scan through Tor Exit Node (Port 80)]
jordan
jordan at privatdemail.net
Thu Mar 3 11:51:37 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 03.03.2011 12:29, schrieb Fabio Pietrosanti (naif):
> On 3/3/11 12:13 PM, Moritz Bartl wrote:
>> Hi
>>
>> On 03.03.2011 11:43, mick wrote:
>>> OK, so that idea may not be a runner - but surely the whole purpose of
>>> the exit policy system is to allow us to run exit nodes which /do/
>>> limit activity to that which we deem acceptable (or legal).
>>
>> Exactly. The *exit policy* is there to limit exit activity. Not iptables
>> or "IDS" afterwards.
>
> I know and fully understand your point, it's a controversial issue the
> filtering or not at exit node level.
>
> The TOR ExitPolicy provide a too reduced degree of flexibility to
> properly fine tune the risks/exit policy decision of a person just
> basing on IP/port and with a limitation on how many IP/port can be
> allowed/filtered.
>
> Still i would like to point out a *practical* feeling that i got from a
> lot of person i tried to say "hey, run an exit node!".
>
> Some person tried to run an exit node, then they got their internet
> connection disconnected due to high number of claim.
> Such person think that if they would be able to remove the claims that
> cause their internet connection being cutted off, they would be happy to
> run a server.
>
> Some other person just does not run TOR exit node due to the perceived
> and concrete risks that their node will be used to start cyber-attacks
> and that they will have trouble because of this.
> That person would be happy to support Freedom of Speech and fight for
> anti-censorship in support to people living in non-free world.
> At the same time they don't want to get involved in cyber attacks.
>
> Some other person, like me, live in country where the justice and
> judicial system is in a drammatic situation.
> In italy if you have legal problem you will take between 5 up to 10
> years to solve the issue.
> In such condition I DO NOT WANT any traffic to go to italian networks,
> because a stupid and dumb prosecutor would probably raise my home at
> morning and i will have to manage 5-10 years of legal handling.
> Unfortunately there's no way to create an exit policy that's able to
> load the blocking destinated to a specific country (Tor just crash and
> there's an issue about it due to the high number of ExitPolicy statements).
>
> I think that all those issues are absolutely reasonable and
> understandable and, if properly managed without a technology-taliban
> approach, would allow a lot of more person to run exit node.
>
> So still my goal is to test, implement, document and create howto to:
>
> - Block P2P to avoid P2P related claims
> - Block Portscan to avoid portscan related claims
> - Block web attacks to avoid web attacks related claims
> - Block traffic going to the country where i live to avoid stupid
> prosecutor causing me 5-10 years of legal trouble
>
> Yes, i understand that this is outside the concept of *perfect freedom*
> related to TOR, but still it would be an answer to the many persons that
> would be happy to run an Exit Node to support freedom of speech limiting
> their risks, personal feeling and effort for maintance and running a TOR
> node.
>
> If that's something not acceptable for the community i accept to be
> marked as a untrusted node, or rough node or whatever.
Being marked as a bad exit means that clients won't choose you for exit
connections. So why not save the trouble and run a non-exit-node instead?
According to
http://infosecurity.ch/20110124/my-tor-exit-node-experience-trying-to-filter-out-noisy-traffic/
the node concerned is
https://torstatus.blutmagie.de/router_detail.php?FP=a65b8fdc571220dbf80fd409565b4ce15c9dc4c3
>
> Still i think that this approach is reasonable and can create value for
> the TOR project grow.
>
> -naif
> http://infosecurity.ch
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJNb4DHAAoJEBINFmKST816kw8QAIBIckmU5sjcFxLgDnAUUnYV
4s++QqtKm/9GsXXiN3qUflouWHpgsJtC0EUZ4oMbs0opV23XqJDVO+OQmon7HNZx
b5Hb4b5sdd6AIwFhfIucP7seS5qEEb7b9lveYbsJcORk4SCS1lKdK6vy64M/T422
OK+Do4WKNWpFFwCTBJAQu3oi1wZqobRrMi2D7+anX4vy5/CodXPQSjQlnCiIWfSg
TA88buGiotLh6tLKij3d83Ka5rihqo0oPOWNhT+7fQEnwPy85NUMeXs6QPgYW7Gu
XwbQFBsuQ3QHaRhFg4xX70j1945c2y2C8SQQLTwYuuqqUgyseZLkySGwvJaNWOK/
0PdTDPsjXp4MaORuYVZEGdwtZArK8KEUgoZ44uFQKKz5Y65+GBQsQ6c7XjeS3iHw
pcmzXheP0/pcUFhg4Vz++x72EUF+yoUFUZxdLR/Bcq9+xT2kfBUAXpQhLQxWF1eB
1GJBaHBAkOdamY1f+bZCUt4UHNN1Ao0ATlUdFbcJrNhSKhl0pjngIUEl6rdGExJE
SYSvNRiGVU5kqfqufeTrLIEIq2eZpF9yiti0HL1I041/JjC/JnvW0Jd4gd8NKUYo
mufOv7UzBHz3jW2ETKhDylLtS0EZO+25Xg4THBFMtTxDnIUbB9GdWR/JLYFin40I
AXlUYxDS3rpXFsQeJRaO
=fUwg
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list