From 9ff4b2cf9711fc81882ec866c003613e26968505 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 1 Feb 2006 05:22:11 +0000 Subject: document ExitPolicyRejectPrivate in man page svn:r5889 --- doc/tor.1.in | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/tor.1.in b/doc/tor.1.in index e5eeafe055..cbf817f5a0 100644 --- a/doc/tor.1.in +++ b/doc/tor.1.in @@ -387,15 +387,18 @@ denote the universe (0.0.0.0/0). \fIPORT\fP can be a single port number, an interval of ports "\fIFROM_PORT\fP\fB-\fP\fITO_PORT\fP", or "\fB*\fP". If \fiPORT\fP is omitted, that means "\fB*\fP". -For example, "reject 127.0.0.1:*,reject 192.168.1.0/24:*,accept *:*" would -reject any traffic destined for localhost and any 192.168.1.* address, but +For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would +reject any traffic destined for MIT except for web.mit.edu, and accept anything else. To specify all internal and link-local networks (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12), you can use the "private" alias instead of an address. -For example, to allow HTTP to 127.0.0.1 and block all other -connections to internal networks, you can say "accept +These addresses are rejected by default (at the beginning of your +exit policy) unless you set the ExitPolicyRejectPrivate config option +to 0. For example, once you've done that, you could allow HTTP to +127.0.0.1 and block all other connections to internal networks with +"accept 127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more details about internal and reserved IP address space. @@ -408,7 +411,6 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) the default exit policy. The default exit policy is: .PD 0 .RS 12 -.IP "reject private:*" 0 .IP "reject *:25" .IP "reject *:119" .IP "reject *:135-139" @@ -425,6 +427,11 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_ .PD .LP .TP +\fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP +Reject all private (local) networks at the beginning of your exit +policy. See above entry on ExitPolicy. (Default: 1) +.LP +.TP \fBMaxOnionsPending \fR\fINUM\fP If you have more than this number of onionskins queued for decrypt, reject new ones. (Default: 100) .LP -- cgit v1.2.3-54-g00ecf