[tor-talk] Disable anything but hidden services
Justin Aplin
japlin at gmail.com
Wed Sep 5 08:37:05 UTC 2012
On Sep 5, 2012, at 3:15 AM, Andreas Krey wrote:
> On Wed, 05 Sep 2012 02:15:21 +0000, Justin Aplin wrote:
> ...
>> ExitPolicy accept 127.0.0.1:*
>> ExitPolicy reject *:*
>>
>> This will allow exiting (connecting) to the local machine (where the hidden service should be listening) on all ports, and reject all other traffic.
>
> No, you don't need an ExitPolicy; hidden services are independent of
> the exit policies, which control non-hidden service access. That
> accept line either has unfortunate consequence (allowing acces to
> *all* local services), or may be ignored altogether.
Ahh, you're correct, I forgot that HIddenServicePort did port mappings automatically. I'm not sure the first line would have any security consequences, as 127.0.0.1 is the origin point, and would allow traffic originating from the machine to exit via the same machine, which would only happen with very strange configurations (i.e. all of the single-hop options set to true), if at all. But I do see that it is useless at best.
~Justin Aplin
More information about the tor-talk
mailing list