summaryrefslogtreecommitdiff
path: root/doc/tor.1.txt
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-07-08 16:37:29 -0400
committerNick Mathewson <nickm@torproject.org>2011-07-19 02:02:18 -0400
commit891ccd3cd0690e83f1dc4dde7698c3bd9d7fe98d (patch)
treead34c9bc9e9a736e50ebcedb150a63249750a78e /doc/tor.1.txt
parent172f8acbe7fcdf6b025ad87c81760ef45bbe1d53 (diff)
downloadtor-891ccd3cd0690e83f1dc4dde7698c3bd9d7fe98d.tar.gz
tor-891ccd3cd0690e83f1dc4dde7698c3bd9d7fe98d.zip
Manpage updates for proposal 171 (isolated streams)
Diffstat (limited to 'doc/tor.1.txt')
-rw-r--r--doc/tor.1.txt105
1 files changed, 80 insertions, 25 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 9607632e1d..8241eeb3c3 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -464,7 +464,7 @@ CLIENT OPTIONS
--------------
The following options are useful only for clients (that is, if
-**SocksPort** is non-zero):
+**SocksPort**, **TransPort**, **DNSPort**, or **NATDPort** is non-zero):
**AllowInvalidNodes** **entry**|**exit**|**middle**|**introduction**|**rendezvous**|**...**::
If some Tor servers are obviously not working right, the directory
@@ -682,17 +682,50 @@ The following options are useful only for clients (that is, if
the same circuit. Currently, two addresses are "too close" if they lie in
the same /16 range. (Default: 1)
-**SocksPort** __PORT__|**auto**::
- Advertise this port to listen for connections from Socks-speaking
+**SOCKSPort** \['address':]__port__|**auto** [_isolation flags_]::
+ Open this port to listen for connections from SOCKS-speaking
applications. Set this to 0 if you don't want to allow application
connections via SOCKS. Set it to "auto" to have Tor pick a port for
- you. (Default: 9050)
-
-**SocksListenAddress** __IP__[:__PORT__]::
+ you. This directive can be specified multiple times to bind
+ to multiple addresses/ports. (Default: 9050) +
+ +
+ The _isolation flags_ arguments give Tor rules for which streams
+ received on this SOCKSPort are allowed to share circuits with one
+ another. Recognized isolation flags are:
+ **IsolateClientAddr**;;
+ Don't share a circuits with streams from a different
+ client address. (On by default and strongly recommended;
+ you can disable it with **NoIsolateClientAddr**.)
+ **IsolateSOCKSAuth**;;
+ Don't share a circuits with streams for which different
+ SOCKS authentication was provided. (On by default;
+ you can disable it with **NoIsolateSOCKSAuth**.)
+ [NOT YET IMPLEMENTED.]
+ **IsolateClientProtocol**;;
+ Don't share circuits with streams using a different protocol.
+ (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections,
+ and DNSPort requests are all considered to be different protocols.)
+ **IsolateDestPort**;;
+ Don't share a circuits with streams targetting a different
+ destination port.
+ **IsolateDestAddr**;;
+ Don't share a circuits with streams targetting a different
+ destination address.
+ **SessionGroup=**__INT__;;
+ If no other isolation rules would prevent it, allow streams
+ on this port to share circuits with streams from every other
+ port with the same session group. (By default, streams received
+ on different ports are always isolated from one another.)
+
+**SOCKSListenAddress** __IP__[:__PORT__]::
Bind to this address to listen for connections from Socks-speaking
applications. (Default: 127.0.0.1) You can also specify a port (e.g.
192.168.0.1:9100). This directive can be specified multiple times to bind
- to multiple addresses/ports.
+ to multiple addresses/ports. (DEPRECATED: As of 0.2.3.x-alpha, you can
+ now use multiple SOCKSPort entries, and provide addresses for SOCKSPort
+ entries, so SOCKSListenAddress no longer has a purpose. For backward
+ compatibility, SOCKSListenAddress is only allowed when SOCKSPort is just
+ a port number.)
**SocksPolicy** __policy__,__policy__,__...__::
Set an entrance policy for this server, to limit who can connect to the
@@ -795,28 +828,44 @@ The following options are useful only for clients (that is, if
operating as a relay, and it will never use the public key step if it
doesn't yet know the onion key of the first hop. (Default: 1)
-**TransPort** __PORT__|**auto**::
- If non-zero, enables transparent proxy support on __PORT__ (by convention,
- 9040). Requires OS support for transparent proxies, such as BSDs' pf or
+**TransPort** \['address':]__port__|**auto** [_isolation flags_]::
+ Open this port to listen for transparent proxy connections. Set this to
+ 0 if you don't want to allow transparent proxy connections. Set the port
+ to "auto" to have Tor pick a port for you. This directive can be
+ specified multiple times to bind to multiple addresses/ports. See
+ SOCKSPort for an explanation of isolation flags. +
+ +
+ TransPort requires OS support for transparent proxies, such as BSDs' pf or
Linux's IPTables. If you're planning to use Tor as a transparent proxy for
a network, you'll want to examine and change VirtualAddrNetwork from the
default setting. You'll also want to set the TransListenAddress option for
- the network you'd like to proxy. Set it to "auto" to have Tor pick a
- port for you. (Default: 0).
+ the network you'd like to proxy. (Default: 0).
**TransListenAddress** __IP__[:__PORT__]::
Bind to this address to listen for transparent proxy connections. (Default:
127.0.0.1). This is useful for exporting a transparent proxy server to an
- entire network.
-
-**NATDPort** __PORT__|**auto**::
- Allow old versions of ipfw (as included in old versions of FreeBSD, etc.)
- to send connections through Tor using the NATD protocol. This option is
- only for people who cannot use TransPort. Set it to "auto" to have Tor
- pick a port for you. (Default: 0)
+ entire network. (DEPRECATED: As of 0.2.3.x-alpha, you can
+ now use multiple TransPort entries, and provide addresses for TransPort
+ entries, so TransListenAddress no longer has a purpose. For backward
+ compatibility, TransListenAddress is only allowed when TransPort is just
+ a port number.)
+
+**NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
+ Open this port to listen for connections from old versions of ipfw (as
+ included in old versions of FreeBSD, etc) using the NATD protocol.
+ Use 0 if you don't want to allow NATD connections. Set the port
+ to "auto" to have Tor pick a port for you. This directive can be
+ specified multiple times to bind to multiple addresses/ports. See
+ SOCKSPort for an explanation of isolation flags. +
+ +
+ This option is only for people who cannot use TransPort. (Default: 0)
**NATDListenAddress** __IP__[:__PORT__]::
- Bind to this address to listen for NATD connections. (Default: 127.0.0.1).
+ Bind to this address to listen for NATD connections. (DEPRECATED: As of
+ 0.2.3.x-alpha, you can now use multiple NATDPort entries, and provide
+ addresses for NATDPort entries, so NATDListenAddress no longer has a
+ purpose. For backward compatibility, NATDListenAddress is only allowed
+ when NATDPort is just a port number.)
**AutomapHostsOnResolve** **0**|**1**::
When this option is enabled, and we get a request to resolve an address
@@ -829,13 +878,19 @@ The following options are useful only for clients (that is, if
A comma-separated list of suffixes to use with **AutomapHostsOnResolve**.
The "." suffix is equivalent to "all addresses." (Default: .exit,.onion).
-**DNSPort** __PORT__|**auto**::
- If non-zero, Tor listens for UDP DNS requests on this port and resolves
- them anonymously. Set it to "auto" to have Tor pick a port for
- you. (Default: 0).
+**DNSPort** \['address':]__port__|**auto** [_isolation flags_]::
+ If non-zero, open this port to listen for UDP DNS requests, and resolve
+ them anonymously. Set the port to "auto" to have Tor pick a port for
+ you. This directive can be specified multiple times to bind to multiple
+ addresses/ports. See SOCKSPort for an explanation of isolation
+ flags. (Default: 0).
**DNSListenAddress** __IP__[:__PORT__]::
- Bind to this address to listen for DNS connections. (Default: 127.0.0.1).
+ Bind to this address to listen for DNS connections. (DEPRECATED: As of
+ 0.2.3.x-alpha, you can now use multiple DNSPort entries, and provide
+ addresses for DNSPort entries, so DNSListenAddress no longer has a
+ purpose. For backward compatibility, DNSListenAddress is only allowed
+ when DNSPort is just a port number.)
**ClientDNSRejectInternalAddresses** **0**|**1**::
If true, Tor does not believe any anonymously retrieved DNS answer that