Opened 15 months ago

Last modified 9 months ago

#25892 reopened enhancement

Replace RejectPlaintextPorts with RejectPlaintextPortPolicy

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-config, easy, 035-roadmap-removed-proposed-20181029
Cc: gk, arma, isis Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

http://expyuzz4wqqyqhjn.onion/docs/tor-manual.html.en
RejectPlaintextPorts port,port

I want my Tor to allow only port 443(HTTPS) and 9877(XMPP).
But current RejectPlaintextPorts is not easy to use because I have to
set "RPP 0,1,2,3,4...65535".

I want something like this:

AccessibleTorPorts 443,9877
AccessibleTorPorts reject *

format:
AccessibleTorPorts port[,port...]
AccessibleTorPorts reject [port|*]

Child Tickets

Change History (14)

comment:1 Changed 15 months ago by isis

Keywords: tor-config added
Resolution: worksforme
Status: newclosed

Hi! If by "my Tor" you meant a relay that you're running, this is can be accomplished with the ExitPolicy configuration option:

ExitPolicy accept *:443, accept *:9877, reject *:*

If you meant your Tor client, however, this is accomplished by running:

python -c"import sys;sys.stdout.write('RejectPlaintextPorts '+','.join([str(x) for x in range(65535) if not x in (443,9877)]))" >> /etc/tor/torrc

I'm going to close this because I don't see it being a generally useful feature for most users, but feel free to reopen if you disagree.

comment:2 Changed 15 months ago by cypherpunks

Resolution: worksforme
Status: closedreopened

Actually I would also like this feature even though I didn't know about RejectPlaintextPorts before seeing this ticket.

This feature would make the torrc also a lot cleaner.

comment:3 Changed 15 months ago by cypherpunks

@isis

Reporter here.

If you meant your Tor client

I mean Tor client. I want my Tor to block all exit connections except port 443 and 9877.

network[PC -- TorServer] === ISP === Tor Nodes === Internet

PC: http x.y.z -> tor: reject and close request
PC https x.y.z -> tor: proceed

@cypherpunk

Actually I would also like this feature

Nice!

comment:4 in reply to:  3 Changed 15 months ago by isis

Cc: isis added
Keywords: 035-proposed easy added
Points: 1
Sponsor: SponsorZ

Replying to cypherpunks:

@isis

Reporter here.

If you meant your Tor client

I mean Tor client. I want my Tor to block all exit connections except port 443 and 9877.

network[PC -- TorServer] === ISP === Tor Nodes === Internet

PC: http x.y.z -> tor: reject and close request
PC https x.y.z -> tor: proceed

@cypherpunk

Actually I would also like this feature

Nice!


Okay, fair enough! I'm reopening and postponing since our new triage rules default to everything being triaged out and select proposed things being triaged in.

FWIW, this ticket should be easily accessible for new contributors, and I'm also nominating it for 0.3.5 in case someone wants to do this in the next couple months. (Sorry, I probably will unfortunately not have enough time.)

comment:5 Changed 15 months ago by cypherpunks

AccessibleTorPorts 443,9877
AccessibleTorPorts reject * <-- don't need this

When the user set ATP, allow only those and block else.

comment:6 Changed 15 months ago by teor

To avoid user confusion, I think we should have this option take a list of accept/reject rules, like ExitPolicy, SOCKSPolicy etc.

We can make accept the default, and we can probably modify it to assume all IP addresses if you just specify a port.

So these options are equivalent:

AccessibleTorPorts 443,9877
AccessibleTorPorts accept 443, accept 9877
AccessibleTorPorts accept *:443, accept *:9877
AccessibleTorPorts accept *:443, accept *:9877, reject *:*

comment:7 Changed 15 months ago by cypherpunks

So these are acceptable? (just an example)

AccessibleTorPorts *:443,*:990
AccessibleTorPorts oh.thisismyxmpp.onion:9877
AccessibleTorPorts reject *:*

(taken from 'ReachableAddresses' lines from torrc)

comment:8 Changed 15 months ago by cypherpunks

and deprecate 2 options

WarnPlaintextPorts
RejectPlaintextPorts

comment:9 in reply to:  8 Changed 15 months ago by teor

Replying to cypherpunks:

So these are acceptable? (just an example)

AccessibleTorPorts *:443,*:990
AccessibleTorPorts oh.thisismyxmpp.onion:9877

I'm not sure about specific addresses. I think we would have to rewrite the code to make it work.

AccessibleTorPorts reject *:*

(taken from 'ReachableAddresses' lines from torrc)

All your other rules are fine.

But I'm going to ask you to rename the option: "Accessible" is ambiguous, and "Tor" is redundant.
By analogy with ExitPolicy and SOCKSPolicy, let's use "PortConnectPolicy", or something similar.

Replying to cypherpunks:

and deprecate 2 options

WarnPlaintextPorts
RejectPlaintextPorts

If people are still using the "warn" option, we can't deprecate it and remove its functionality entirely.
Instead, we should have:

PortWarnPolicy
PortConnectPolicy

comment:10 Changed 13 months ago by nickm

Keywords: 035-roadmap-proposed added; 035-proposed removed

comment:11 Changed 11 months ago by nickm

Milestone: Tor: unspecified

comment:12 Changed 11 months ago by teor

Sponsor: SponsorZ
Summary: "AccessibleTorPorts" Add a new option and deprecate 2 optionsReplace RejectPlaintextPorts with RejectPlaintextPortPolicy

I suggest we use the following names:
RejectPlaintextPorts -> RejectPlaintextPortPolicy
WarnPlaintextPorts -> WarnPlaintextPortPolicy

comment:13 Changed 9 months ago by teor

Keywords: 035-roadmap-proposed-removed-20181029 added; 035-roadmap-proposed removed

Remove unlikely enhancements from 035-roadmap-proposed

comment:14 Changed 9 months ago by teor

Keywords: 035-roadmap-removed-proposed-20181029 added; 035-roadmap-proposed-removed-20181029 removed

Keyword searches use substrings

Note: See TracTickets for help on using tickets.