[tor-relays] Firewall rules as a "replacement" for MyFamily on a bridge?

Roger Dingledine arma at torproject.org
Mon Oct 14 05:02:04 UTC 2019


On Sat, Oct 12, 2019 at 12:09:20AM +0200, Marco Gruß wrote:
> I have been running 2 middle relays for a while and now fired up
> an obfs4 bridge (in a relay-free AS no less ;) as well.

Great!

> I've been thinking, as MyFamily is a no-no for bridges, how about
> firewalling the bridge from my nodes? If I add rules on my bridge
> that prevent it from connecting to my other relays and prevent
> my other relays from connecting to it (using iptables' -j REJECT,
> which results in a "connection refused", as if the tcp port was
> closed), it would be technically impossible for my bridge to
> inadvertently build a circuit through one of my other relays.
> (Well, it could of course still choose them as the second hop.)
> 
> Does this make any sense at all? Will this break stuff?

It does make sense.

A little bit against: it will break stuff a little bit, in that clients
that use your bridge will sometimes fail to make the circuit they wanted,
because they won't be able to extend from your bridge to those relays.
There's already some uncertainty around how many links between relays
are broken, and why they might be broken, so intentionally adding more
breakage will make those questions more confusing. Not a big deal if a
few bridges do it, but could get messy if many do.

A little bit in favor: it will indeed avoid circuits that use your relays
for the first two hops. This is actually a bigger deal than you describe
above, because circuits that use bridges are still only three hops total
("bridge - middle - exit"), so if a user picks your bridge and your
middle relay, then there's only the exit relay left that is not yours.

A little bit against: because these circuits are only three hops,
there is a low-impact low-probability anonymity issue with doing what
you describe: if a user does the same activity repeatedly over time, and
that activity is recognizable (linkable) by the exit relay (e.g. logging
into a non-https website or going to a really rare destination), then an
attacker running some exit relays will be able to build a profile over
time of what middle hops the person uses, and notice that they never use
your middle hops, and conclude that maybe they're using your bridge as
their first hop. Not a big deal, but it's an example of how anonymity
analysis can get really tricky.

I would say that if you're excited to do it, it won't hurt much and
might help a bit so feel free. But if not you shouldn't. And it would
be a shame if many people started doing it, because the two "little bit
against" points get a little bit worse when the behavior is more common.

Hope this helps,
--Roger



More information about the tor-relays mailing list