diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-07-05 19:10:08 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-07-05 19:10:08 -0400 |
| commit | 78196c8822ec8dda5df95428dbb4ae96ec4d2b7f (patch) | |
| tree | 8951cb4cbb699b49b80dbf75ce27e3f55f002cc8 /doc | |
| parent | dfa41ac0f32729f9d5a731681d826ec3006f6fb5 (diff) | |
| parent | 514f0041d190b9e142cc246e3ec7ac65342547bd (diff) | |
| download | tor-78196c8822ec8dda5df95428dbb4ae96ec4d2b7f.tar.gz tor-78196c8822ec8dda5df95428dbb4ae96ec4d2b7f.zip | |
Merge remote-tracking branch 'teor/bug18456'
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tor.1.txt | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt index f42ac8cd03..b5d6e87683 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1701,15 +1701,16 @@ is non-zero): used with accept6/reject6.) + + Private addresses are rejected by default (at the beginning of your exit - policy), along with any configured primary public IPv4 and IPv6 addresses, - and any public IPv4 and IPv6 addresses on any interface on the relay. + policy), along with any configured primary public IPv4 and IPv6 addresses. These private addresses are rejected unless you set the ExitPolicyRejectPrivate config option to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and block all other connections to internal networks with "accept 127.0.0.1:80,reject private:\*", though that may also allow connections to your own computer that are addressed to its public (external) IP address. See RFC 1918 and RFC 3330 for more details - about internal and reserved IP address space. + + about internal and reserved IP address space. See + ExitPolicyRejectLocalInterfaces if you want to block every address on the + relay, even those that aren't advertised in the descriptor. + + This directive can be specified multiple times so you don't have to put it all on one line. + @@ -1739,16 +1740,23 @@ is non-zero): IPv4 and IPv6 addresses. [[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**:: - Reject all private (local) networks, along with any configured public - IPv4 and IPv6 addresses, at the beginning of your exit policy. (This - includes the IPv4 and IPv6 addresses advertised by the relay, any - OutboundBindAddress, and the bind addresses of any port options, such as - ORPort and DirPort.) This also rejects any public IPv4 and IPv6 addresses - on any interface on the relay. (If IPv6Exit is not set, all IPv6 addresses - will be rejected anyway.) + Reject all private (local) networks, along with the relay's advertised + public IPv4 and IPv6 addresses, at the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1) +[[ExitPolicyRejectLocalInterfaces]] **ExitPolicyRejectLocalInterfaces** **0**|**1**:: + Reject all IPv4 and IPv6 addresses that the relay knows about, at the + beginning of your exit policy. This includes any OutboundBindAddress, the + bind addresses of any port options, such as ControlPort or DNSPort, and any + public IPv4 and IPv6 addresses on any interface on the relay. (If IPv6Exit + is not set, all IPv6 addresses will be rejected anyway.) + See above entry on ExitPolicy. + This option is off by default, because it lists all public relay IP + addresses in the ExitPolicy, even those relay operators might prefer not + to disclose. + (Default: 0) + [[IPv6Exit]] **IPv6Exit** **0**|**1**:: If set, and we are an exit node, allow clients to use us for IPv6 traffic. (Default: 0) |