[tor-relays] easy way to test my exit policy

Tom Yates madhatter at teaparty.net
Thu Aug 18 07:46:41 UTC 2022 

On Wed, 17 Aug 2022, lists at for-privacy.net wrote:

> On Dienstag, 16. August 2022 16:36:52 CEST Tom Yates wrote:
>> i've been grumbled at in a way that makes me want to validate my exit
>> policy before dismissing the grumble.
>
> I don't know exactly what you want to test there. You can see what you 
> have open on tor metrics.

That pretty much sums up the problem.  I know what my config says I'm 
doing; I want independent confirmation that the daemon is behaving as 
advertised.

Spoiler alert: unsurprisingly, it is.

Should anyone else want to do this, the right way (it seems) is to run an 
instance of tor on a random test box, point that at the exit node to be 
tested, and use a socks-aware client (on random test box) to generate test 
traffic via the SOCKS interface on tor whilst using tcpdump (on the exit 
node) to verify whether packets flow.

On random test client, let's call it "client", force the selection of your 
exit node in your local torrc, in this case by IP address:

ExitNodes 178.17.171.102

and start tor.  On the exit node, let's call it "angband", start tcpdump, 
looking for traffic to a random test server (let's call it 
"testserv.example.com"):

angband% sudo tcpdump host testserv.example.com

Then generate test traffic.  This is test traffic that ought to be allowed 
to exit my exit node:

client% nc --proxy 127.0.0.1:9050 --proxy-type socks5 testserv.example.com 80

and here's the tcpdump traffic:

08:28:47.111528 IP angband.teaparty.net.45438 > testserv.example.com.http: Flags [S], seq 1395500093, win 42340, options [mss 1460,sackOK,TS val 3055761411 ecr 0,nop,wscale 12], length 0
08:28:47.173259 IP testserv.example.com.http > angband.teaparty.net.45438: Flags [S.], seq 879943484, ack 1395500094, win 28960, options [mss 1460,sackOK,TS val 4141468305 ecr 3055761411,nop,wscale 7], length 0
08:28:47.173293 IP angband.teaparty.net.45438 > testserv.example.com.http: Flags [.], ack 1, win 11, options [nop,nop,TS val 3055761473 ecr 4141468305], length 0
[...]

Here's test traffic that ought NOT to be allowed to exit my exit node:

client% nc --proxy 127.0.0.1:9050 --proxy-type socks5 testserv.example.com 25

and tcpdump confirms nothing leaves.

Many thanks to those who helped off-list (you know who you are); I'm 
grateful to everyone that responded.


-- 

       Tom Yates  -  https://www.teaparty.net

More information about the tor-relays mailing list