Blocking child pornography exits

Ben Wilhelm zorba-tor at pavlovian.net
Sat Jul 21 13:42:04 UTC 2007 


Scott Bennett wrote:
 >      Not AFAIK.  It blocks exits for whatever ports you tell it to 
block exits
 > for.  The sample torrc that comes with the package has several 
example lines
 > that you can uncomment or that you can simply use as examples for 
syntax when
 > writing your own ExitPolicy statements.  One of those may be an 
"ExitPolicy
 > reject *:25", but it starts out, IIRC, having only an "ExitPolicy 
reject *:*"
 > statement uncommented for those who want to dabble in running a 
middleman-only
 > server.

For quite a few versions, Tor has come with a significant number of 
ports blocked, including standard ports for email, exploits, and p2p 
filesharing. I don't know if this is still the case, but if not, it's 
changed recently.

The relevant code, which seems to still be active, starts at line 542 in 
policies.c, and I'll copy the exit policy itself and relevant comment in:

#define DEFAULT_EXIT_POLICY                                         \
   "reject *:25,reject *:119,reject *:135-139,reject *:445,"         \
   "reject *:465,reject *:563,reject *:587,"                         \
   "reject *:1214,reject *:4661-4666,"                               \
   "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"

/** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
  * cfg doesn't end in an absolute accept or reject, add the default exit
  * policy afterwards. If <b>rejectprivate</b> is true, prepend
  * "reject private:*" to the policy. Return -1 if we can't parse cfg,
  * else return 0.
  */

So chances are that if you haven't explicitly added an absolute accept 
or reject to the end of your cfg, you're blocking a large number of 
ports that the tor developers have decided they don't want on their network.

Last I heard, the tor developers did this solely to keep the network 
usable, and not for moral reasons. But I may be wrong on that. 
Nevertheless, trying to block something as nebulous and illdefined as 
"child pornography" is obviously a far, far different thing than simply 
blocking a pile of ports frequently used for p2p traffic. Tor doesn't 
even try to recognize common p2p packets, so hey.

-Ben

More information about the tor-talk mailing list