[tor-relays] Exits behind a next-gen firewall? Opinions please
Lunar
lunar at torproject.org
Fri Jul 11 05:33:19 UTC 2014
Jesse Victors:
> I've been running some exit nodes for some time now, and they're doing
> well. They've burned through many terabytes of bandwidth, and thanks
> to Tor's recommended reduced exit policy, complaints have been
> minimal. Clearly the vast majority of the Tor traffic is not
> malicious, but I have received some reports from other companies and
> from my ISP of hacking attempts: SQL Injection, XSS, botnet C&C, basic
> things like that. My ISP now tells me that they could reduce the
> reports even further by routing the exits through a "next-generation
> firewall" which apparently can detect an obvious clearnet attack and
> drop that connection a few milliseconds after the attack occurs.
You don't want that.
For Tor to work properly, once a packet is delivered to your exit (and
the destination is accepted) the packet must be delivered. Otherwise,
you are breaking the network and the relay will be a BadExit.
But you really don't want that because if you start looking at the
traffic and selecting the traffic, then you become liable for what you
transport (at least in Europe).
--
Lunar <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140711/a1ee8ea2/attachment.sig>
More information about the tor-relays
mailing list