[tor-relays] Comcast blocks ALL traffic with tor relays

Xiaoqi Chen (Danny) chenxiaoqino at gmail.com
Thu Jun 15 07:30:00 UTC 2023 

Hi xmrk2,

As a fellow relay operator I think it might be helpful for me to add some
clarification to what you saw.

1. "comcast" the ISP didn't block or interfere with traffic to/from the
relay IP. (Thanks Jason for the clarification.)
However,
2. an average "comcast user" (with ISP-provided modem and the "advanced
security" on by default) will by default block *incoming* connection from
relay IPs. Thus, when the said user opens a port forwarding from their
public IP, you can't proactively connect to that IP:port from your relay's
IP.
3. "advanced security" will not block return traffic for *outgoing*
connections from the user. That is, when this user connects to a relay IP
(e.g., opens a tor browser), it works just fine.

The blocking is done at the modem box, and anyone expecting incoming
connection from the wider internet should obviously turn off "advanced
security" on their box. I can understand the motivation for the default --
when most people set up port forwarding, they probably only want incoming
connections from friends or their own phone, not the entire internet.

I do not use comcast personally so this is only based on anecdotes I heard
and the thread so far; please take it as a grain of salt. Hope it helps.
I'm also happy to help you and your lightning node friend privately.
--
Danny


On Thu, Jun 15, 2023 at 6:43 AM Livingood, Jason via tor-relays <
tor-relays at lists.torproject.org> wrote:

> >As to the blog post you mention… Your statements are very generic: now
> you talk about "not blocking tor", but tor is not just one webpage, one
> server, a monolithic entity. I would appreciate details: If your customer
> has "advanced security" activated, can he connect to any ORPort of any tor
> middle relay?
>
> Fair enough. That post was in any case from 2014 and the questions are
> different today (I just used it as an example that we’re not against Tor).
> Honestly, I’m a little surprised that someone running a Tor exit node would
> not be using their own cable modem and running their own router (whether
> open source a la Openwrt or commercial). If someone wants to do stuff like
> run a Tor exit node or run a MASQUE relay or whatever, I’d recommend they
> turn off Advanced Security and manage their routing & firewall rules
> themselves.
>
>
> >Sorry if I am a bit repetitive, but
> https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security
> <https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$> mentions
> "Blocks remote access to smart devices from known dangerous sources.". What
> do you mean by dangerous sources, and does it include tor relays or exits?
>
>
>
> It may be down to the fact that “unknown” users connect to the relay/exit
> and that the average consumer user of the Advanced Security service does
> not want that. I suspect if someone wants this, it’s best to toggle
> Advanced Security off.
>
>
>
> > I don't know whether this customer has "Advanced security" turned on, I
> just assume he has. Do you want me to send you privately more details (my
> IP and this peer's IP)?
>
> Sure – I am happy to look at that confidentially. But it could be a wide
> range of other things – even basic things like someone’s router timing out
> external connections after X minutes, etc.
>
> > So you remind me of an old joke: who should I believe, you, or my eyes?
> Sorry, I choose my eyes. I am talking here about direction from my node to
> Comcast. It is still possible that you don't block connections from Comcast
> to relays, I have contradictory evidence about this point. So if your "not
> blocking tor" means "not preventing our customer from connecting to some
> tor relays", this could be true.
>
>
>
> Alternatively, given the large size of our network, if we were in fact
> blocking this, then I’d expect to see this list filled with complaints and
> social media sites (Twitter
> <https://twitter.com/search?q=comcast%20tor&src=typed_query&f=top>,
> Reddit, etc.) filled with complaints. But what I see now is a single
> report. That said, I routinely look at such reports when they seem at odds
> with our network policies so as to be certain there’s not some
> misconfiguration or bug someplace.
>
>
>
> Jason
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230615/f7eb9e2e/attachment.htm>

More information about the tor-relays mailing list