any of Tor operators receiving mail from MediaSentry Copyright Infringement?
Eugen Leitl
eugen at leitl.org
Mon Oct 10 13:59:15 UTC 2005
On Mon, Oct 10, 2005 at 09:13:48AM -0400, Geoffrey Goodell wrote:
> 1. Your exit policy is not the default. We now recommend setting this
> as your exit policy:
Thanks, adopted.
> reject 0.0.0.0/255.0.0.0:*
> reject 169.254.0.0/255.255.0.0:*
> reject 127.0.0.0/255.0.0.0:*
> reject 192.168.0.0/255.255.0.0:*
> reject 10.0.0.0/255.0.0.0:*
Question: if I have a local network in 10.3.0.0
(virtual TUN/TAP interface), can I change this
policy without causing problems. (10.0.0.0/255.0.0.0
isn't routable, anyway, right? This is to prevent
spillover of unroutable traffic into Tor network, and not
something against spoofing, correct?)
> reject 172.16.0.0/255.240.0.0:*
> reject *:25
> reject *:119
> reject *:135-139
> reject *:445
> reject *:465
> reject *:587
> reject *:1214
> reject *:4661-4666
> reject *:6346-6429
> reject *:6699
> reject *:6881-6999
> accept *:*
>
> Note that this is both more reasonable about well-known ports and more
> restrictive in ranges often chosen by P2P filesharing networks.
>
> 2. As long as you are in the business of digging around in the
> application layer for clues about whether you should filter a connection
> or not, and in so doing provide Tor users with uncertainty about whether
> their connections will satisfy the filtering constraints or not, you
I don't. I understand that this is hairy, and just wanted to know
whether it is currently feasible to block specific protocols (such
as BitTorrent) in the ExitPolicy. It is not, so end of story.
> might as well just put your Tor router behind a firewall of your own,
> with a script to drop connections whose application-layer payloads or
> traffic patterns you consider evil. Indeed, the possibilities are
It has to be a pretty smart firewall to track an entire BitTorrent
session sufficiently to be able to recognize it and to drop it.
Also, if I had such a firewall which would block outgoing Tor
traffic it recognizes it would not be reflected in the Tor exit
policy, and the local Tor node would cheerfully send it out
where it will be chomped up by the firewall. This would violate
the expectations of any user.
> endless, and ultimately cannot be expressed using simple policy
> statements. Entering the market for application-layer
> filtering is a slippery slope.
So I gathered. Thanks.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20051010/c1fedad8/attachment.pgp>
More information about the tor-talk
mailing list