Opened 15 years ago

Last modified 8 years ago

#235 closed defect (Fixed)

Servers and ReachableAddresses

Reported by: weasel Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


A server operator did set FascistFirewall because he filtered
incoming connections. Maybe Tor should do something, like warn
or not let you be a server, when you have a restrictive
ReachableAddresses list.

<weasel> should Tor allow you to be a server when you have

FascistFirewall set?

<nickm> weasel: Probably not. But it's hard to enforce, since it's

reasonable to allow servers when ReachableAddresses is set.

<nickm> And FascistFirewall aliases to that./
<weasel> is it reasonable?
<nickm> Sure
<weasel> ok :)
<nickm> If I say "all ports 1024-65535 are reachable", I'm a fine


<weasel> this specific config would mean you can only access one of

the auth directory servers

<nickm> well, that would suck.
<nickm> actually...
<nickm> okay, adding proposed rule to TODO.
<weasel> maybe Tor should warn if your ReachableAddresses prevents you

from reaching one of the dirservers?

<nickm> let me know what you think
<nickm> If you're a directory cache, you need to be able to reach all

the directory authorities.

<nickm> If you're an OR, you should be able to reach (oh, say) 85% of

the other ORs.

<weasel> and you need to be able to reach at least one directory


<nickm> hm, true, to bootstrap.
<nickm> I suspect this is not an earthshaking problem as it is: you'll

either bootstrap or you wont; you'll either be able to build a
connection to yourself or

<weasel> you're right, it's not. it would just be nice to give the

operator some feedback that what he's doing is probably not a
good idea :)

<weasel> as it turned out in this case the user didn't realize

FascistFirewall was for outgoing, not incoming connections.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 15 years ago by arma

+ REJECT("Servers must be able to freely connect to the rest "
+ "of the Internet, so they must not set ReachableAddresses "
+ "or FascistFirewall.");

comment:2 Changed 15 years ago by arma

flyspray2trac: bug closed.

comment:3 Changed 8 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.