[tor-relays] Exits behind a next-gen firewall? Opinions please

Lunar lunar at torproject.org
Fri Jul 11 05:33:19 UTC 2014

Jesse Victors:
> I've been running some exit nodes for some time now, and they're doing
> well. They've burned through many terabytes of bandwidth, and thanks
> to Tor's recommended reduced exit policy, complaints have been
> minimal. Clearly the vast majority of the Tor traffic is not
> malicious, but I have received some reports from other companies and
> from my ISP of hacking attempts: SQL Injection, XSS, botnet C&C, basic
> things like that. My ISP now tells me that they could reduce the
> reports even further by routing the exits through a "next-generation
> firewall" which apparently can detect an obvious clearnet attack and
> drop that connection a few milliseconds after the attack occurs.

You don't want that.

For Tor to work properly, once a packet is delivered to your exit (and
the destination is accepted) the packet must be delivered. Otherwise,
you are breaking the network and the relay will be a BadExit.

But you really don't want that because if you start looking at the
traffic and selecting the traffic, then you become liable for what you
transport (at least in Europe).

Lunar                                             <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140711/a1ee8ea2/attachment.sig>

More information about the tor-relays mailing list