Tor Beginner's Questions

ffi2fdq02 at sneakemail.com ffi2fdq02 at sneakemail.com
Wed Jan 5 11:58:43 UTC 2005 

Thanks for getting to this amongst everything else Roger.

On 05/01/2005, at 7:19 PM, Roger Dingledine arma-at-mit.edu |or-talk|  
wrote:

> On Fri, Dec 31, 2004 at 05:08:43PM +1100, ffi2fdq02 at sneak.........  
> wrote:
>> 1)  "allow local connections to port 8118 and port 9050"
>>
>>      Maybe I'm missing some subtlety in the word 'local' but does this
>> mean incoming, outgoing, neither or both should be allowed?  As far as
>> I know, I haven't allowed either port incoming or outgoing and yet tor
>> client seems to be working.
>
> Local means "from 127.0.0.1 to 127.0.0.1" -- some firewalls seem to  
> block
> even these sorts of connections, and people who run them don't tend to
> realize they're running them, so it's sort of hard to document for. Any
> suggestions on how to fix the wording?

My suggestion FWIW is "if your firewall can limit your machine's  
ability to connect to itself then ensure that such connection is  
allowed on ports 8118 and 9050."  I understand the catch-22 about  
"people who run them..." and I think it shall remain a catch-22 unless  
it is to become a multi-page document in itself.  Whilst I don't run  
one of those firewalls I'm probably close to that class of people and  
I/we simply have to have the initiative to search and question until we  
understand.  Otherwise we can simply wait until technology like tor  
matures to the point where anyone can use it without having a clue what  
they're doing:)

>> 2)  "outgoing connections... <allow> ports 80, 443, and 9001-9033"
>>
>>      I've allowed outgoing connections on all (only) these ports.  Why
>> does tor still regularly make attempts at other ports.  I blocked them
>> all and the tor client still works.  Is there any advantage to  
>> allowing
>> these too?  Is there a definable range?
>
> I've just added this answer as
> http://wiki.noreply.org/wiki/TheOnionRouter/ 
> TorFAQ#OutboundFirewallPorts

Nice.  Completely answered thank you.

> Currently the 'FirewallPorts' config option doesn't support ranges,  
> just
> numbers. Is this something we should fix?

It's not something I would like to see 'fixed' at this stage.  There's  
simply a trade off here.  I don't wish to spend much time on security  
but I value it.  Therefore I block all ports except those I *know* are  
being used by services I desire.  Consequently it suits me to block  
everything else.  If my need for anonymity rose then I may trade that  
off against this easy but overkill approach to security.

> Thanks,
> --Roger

No.  Thank you!:)

More information about the tor-talk mailing list