[tor-relays] Oubound Ports

krishna e bera keb at cyblings.on.ca
Sat Jul 12 15:32:01 UTC 2014 

On 14-07-11 08:59 PM, Greg Moss wrote:
> Alright - traffic is picking up a little after 24 hour. Netfow is showing a
> bunch of outbound SSH connections but for some reason cant see it in the
> syslog  going out. Added ACL for outbound SSH and will watch.  Not sure WTF
> all the SSH traffic is all about.


Some clarification may help regarding what ports are and how they are
used.  (Corrections welcome.)

When we say a process connects on port 22 we mean a process on the local
computer tries to connect to a remote computer on its port 22, ie 22 is
the "destination".  The process on the local computer will use a random
numbered "source" port (from 1 to 65535) on leaving the local computer.
 On the remote computer, there will be a process listening on its
inbound port 22.

The local process may or may not be SSH, and the remote process may or
may not be SSHD - it is up to each computer's owner how they configure
the processes; port 22 is merely a convention for SSH that makes it easy
to remember and setup defaults.

(On Linux you can see what process is actually using each active
connection with "sudo netstat -p".  To see what processes are listening
on which ports on your computer, it would be "sudo netstat -lp".)

If you are running a Tor exit node, you specify in the torrc to which
destination ports your Tor node will allow Tor users to connect.  If
your torrc says "ExitPolicy reject *:22" for example, it means your exit
node will not allow Tor users to connect to port 22, so don't even try
to route circuits through your node.  If your torrc doesnt contain that
line but your firewall blocks connections to port 22, it means Tor users
might try to do their SSH via your exit node and get failed connections
(and your node will eventually be labelled a BadExit).

If you are running a non-exit, ie your torrc contains "ExitPolicy reject
*:*", then circuits traversing your relay will only connect to other Tor
nodes (on their advertised ORports); you cannot control what numbers
those ports are nor choose to which relays connections are allowed.  In
that case you should not see any connections to port 22, except for the
Tor process itself connnecting to other Tor relays which happen to use
that as their ORport.

More information about the tor-relays mailing list