[tor-relays] Exit policy reject fails

spiros_spiros at freemail.gr spiros_spiros at freemail.gr
Mon Oct 19 21:21:06 UTC 2015

Hi Josef, 

I think you must put any reject entries above the accept because the rules read from top to bottom. 

Also, I don't know if this make any difference at all, but I also put port in my torrc like this :

ExitPolicy reject* #comment here


On 19 Oct 2015, at 22:03, Josef Stautner <hello at veloc1ty.de> wrote:

Hello @all,

I have a probleme with an reject rule which seems to fail.
Due to an message from WebIron against my exit relay I wanted to block a
subnet. My exit policy looks like this:

ExitPolicy accept *:53        # DNS
ExitPolicy accept *:80        # HTTP
ExitPolicy accept *:8080      # HTTP 2
ExitPolicy accept *:443       # HTTPS
ExitPolicy reject # WebIron report
ExitPolicy reject *:*

After I added the reject rule I reloaded tor and thought the case is
done. But WebIron keeps sending me messages because of "ongoing attacks"
against a host in that subnet. Of course I trusted the reject rule and
ignored them. After the 6th mail I got suspicious and added an iptables
ACCEPT rule in my OUTPUT chain to have a look if there is really a
traffic flow. I just received another mail and checked the packet counter:

Chain OUTPUT (policy ACCEPT 116M packets, 159G bytes)
num   pkts bytes target     prot opt in     out     source              
2      142  8304 ACCEPT     all  --  *      *
       /* WebIron Block check */

There is traffic flowing from my relay IP to the subnet. Can
somebody please hint me what I'm doing wrong?
Link to the relay in case you need more information:

Thanks in advance,
tor-relays mailing list
tor-relays at lists.torproject.org

More information about the tor-relays mailing list