diff options
| author | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-15 18:34:18 +1000 |
|---|---|---|
| committer | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-16 02:56:50 +1000 |
| commit | 098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d (patch) | |
| tree | bc40d90c97de2a09a6c1e277ea3c5f2c455f8787 /doc/tor.1.txt | |
| parent | 31eb486c4624d1437d982ffdfc1f9d7d83c5ffd6 (diff) | |
| download | tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.tar.gz tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.zip | |
ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
* the relay's published IPv6 address (if any), and
* any publicly routable IPv4 or IPv6 addresses on any local interfaces.
This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.
Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha.
Diffstat (limited to 'doc/tor.1.txt')
| -rw-r--r-- | doc/tor.1.txt | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 89673a865d..5ac6164f0f 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1578,8 +1578,11 @@ is non-zero): accept *:* [[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**:: - Reject all private (local) networks, along with your own public IP address, - at the beginning of your exit policy. See above entry on ExitPolicy. + Reject all private (local) networks, along with your own configured public + IPv4 and IPv6 addresses, at the beginning of your exit policy. Also reject + any public IPv4 and IPv6 addresses on any interface on the relay. (If + IPv6Exit is not set, all IPv6 addresses will be rejected anyway.) + See above entry on ExitPolicy. (Default: 1) [[IPv6Exit]] **IPv6Exit** **0**|**1**:: |