ExitPolicy: ports 1024-65535 needed?

Nato Welch nate at asaim.com
Sat Dec 18 08:23:08 UTC 2004 

Alright, I've got some questions. I've been reading, and I may not have 
all this down right, but I'll dive in.

 From my understanding, conencting tor clients get to pick their routes 
through the network. Suppose they were to pick an exit node whose exit 
policy doesn't support the port they want to connect to. Do they hear 
about it? How easy would it be for them to pick another exit node? A 
nice feature would be for users to be able to choose their level of 
exposure (web only, BT and smtp if they feel ok handling complaints, 
etc). What implications would this have on the anonymity and security of 
the network if this were the case?

I would imagine that even users with completely blocked exit policies 
(middleman nodes?) would be helpful contributors.

--
Nato Welch
nate at asaim.com



Roger Dingledine wrote:
> On Fri, Dec 17, 2004 at 10:46:13PM -0600, Keith Ray wrote:
> 
>>After recently setting up a Tor router, I was wondering about the necessity
>>of allowing all high range ports.  Is this necessary for return packets to
>>be allowed back through the network?  Example:
>>
>>  client:1024 -> server:80
>>  server:80   -> client:1024
>>
>>If all I have is:
>>  
>>  ExitPolicy accept *:80, reject *:*
>>
>>Will this block the first packet, the second packet, both, or neither?
> 
> 
> Exit policies work at the TCP level. They let your server decide which
> addresses and ports for outgoing connections will be allowed.
> 
> So if you accept *:80 and reject the rest, then outgoing connections
> to anywhere on port 80 will be permitted, and outgoing connections on
> other ports will be denied.
> 
> Exit policies don't think on a per-packet level. They think on a per
> TCP stream level. Indeed, Tor also works on a per TCP stream level. We
> don't transport packets, we transport streams.
> 
> Does that make more sense? You could switch to the exit policy you
> indicated if you want, and it would work fine; but of course, we prefer
> to have more nodes that allow more flexible exiting.
> 
> --Roger
> 
>

More information about the tor-talk mailing list