[tor-relays] How to prevent netscan usage?

Sun Feb 7 21:28:01 UTC 2016

Am 07.02.2016 um 21:47 schrieb Toralf Förster:
> On 02/07/2016 09:17 PM, Roland 'ValiDOM' Jungnickel wrote:
>> So to say... these rules work. But most probably somebody with more
>> iptables experience might adjust them to be even more effective AND less
>> "problematic".
> 
> Again - it is problematic in Germany *and* you foolish the Tor directory authorities.
> Don't run an exit if you can't run an exit.

Thanks Toralf for your reply.

Regarding §8 TMG in Germany - yes, there is a risk. Honestly, I fight
for this rule to apply for free Wifi-Providers (also for people just
running one access point) and TOR-exitnodes. There is a current court
case about free Wifi at the European Court of Justice (ECJ) I initiated,
do fund-raising, public relations for and so on (C-484/14). An Advocate
General will publish his opinion on the case this April.

In other words... §8 TMG and its limits are well-known to me. So why did
I still apply the firewall rule the the exit? If you read the IPtables
rules I adopted carefully, you see that I do not select source or
target. I limit new connections based on a time-value. In my humble
opinion this is like to use a small uplink; but not violating §8 TMG.

And - what would be the alternative? Find an ISP which do accept (or
just not recognise) massive Netscans? Might be an option. But as of my
current and past understanding, netscan is not "normal" network usage.
It is abuse. As long as the Tor deamon does not offer a functionality to
avoid such abuse, the only way to deal with it is a firewall rule. This
should answer your second objection about to foolish the Tor directory.
I just do not care if netscans over tor do not work properly ;)

Vali

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160207/1e153d3f/attachment.sig>