From 514f0041d190b9e142cc246e3ec7ac65342547bd Mon Sep 17 00:00:00 2001 From: "teor (Tim Wilson-Brown)" Date: Fri, 1 Jul 2016 15:37:13 +1000 Subject: Avoid disclosing exit IP addresses in exit policies by default From 0.2.7.2-alpha onwards, Exits would reject all the IP addresses they knew about in their exit policy. But this may have disclosed addresses that were otherwise unlisted. Now, only advertised addresses are rejected by default by ExitPolicyRejectPrivate. All known addresses are only rejected when ExitPolicyRejectLocalInterfaces is explicitly set to 1. --- doc/tor.1.txt | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 64f0da0eeb..c22f94e0bd 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1701,15 +1701,16 @@ is non-zero): used with accept6/reject6.) + + Private addresses are rejected by default (at the beginning of your exit - policy), along with any configured primary public IPv4 and IPv6 addresses, - and any public IPv4 and IPv6 addresses on any interface on the relay. + policy), along with any configured primary public IPv4 and IPv6 addresses. These private addresses are rejected unless you set the ExitPolicyRejectPrivate config option to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and block all other connections to internal networks with "accept 127.0.0.1:80,reject private:\*", though that may also allow connections to your own computer that are addressed to its public (external) IP address. See RFC 1918 and RFC 3330 for more details - about internal and reserved IP address space. + + about internal and reserved IP address space. See + ExitPolicyRejectLocalInterfaces if you want to block every address on the + relay, even those that aren't advertised in the descriptor. + + This directive can be specified multiple times so you don't have to put it all on one line. + @@ -1739,16 +1740,23 @@ is non-zero): IPv4 and IPv6 addresses. [[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**:: - Reject all private (local) networks, along with any configured public - IPv4 and IPv6 addresses, at the beginning of your exit policy. (This - includes the IPv4 and IPv6 addresses advertised by the relay, any - OutboundBindAddress, and the bind addresses of any port options, such as - ORPort and DirPort.) This also rejects any public IPv4 and IPv6 addresses - on any interface on the relay. (If IPv6Exit is not set, all IPv6 addresses - will be rejected anyway.) + Reject all private (local) networks, along with the relay's advertised + public IPv4 and IPv6 addresses, at the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1) +[[ExitPolicyRejectLocalInterfaces]] **ExitPolicyRejectLocalInterfaces** **0**|**1**:: + Reject all IPv4 and IPv6 addresses that the relay knows about, at the + beginning of your exit policy. This includes any OutboundBindAddress, the + bind addresses of any port options, such as ControlPort or DNSPort, and any + public IPv4 and IPv6 addresses on any interface on the relay. (If IPv6Exit + is not set, all IPv6 addresses will be rejected anyway.) + See above entry on ExitPolicy. + This option is off by default, because it lists all public relay IP + addresses in the ExitPolicy, even those relay operators might prefer not + to disclose. + (Default: 0) + [[IPv6Exit]] **IPv6Exit** **0**|**1**:: If set, and we are an exit node, allow clients to use us for IPv6 traffic. (Default: 0) -- cgit v1.2.3-54-g00ecf