Opened 10 months ago

Last modified 5 days ago

#29339 new enhancement

Bind outbound ports

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords:
Cc: spam@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be useful if a tor relay could be configured to use a specific local port range for outgoing traffic, or even bind to a single port.

This would make tor more manageable and flexible. Especially in a router/fw.

Just like with have ORPort for incoming traffic we could have OROutPort for outgoing ports.

Many popular torrent applications does this.

It would allow running tor behind a stateless firewall, which is very useful for low end routers with high bw Internet connections.

Child Tickets

Change History (7)

comment:1 Changed 10 months ago by dgoulet

Component: Core TorCore Tor/Tor

comment:2 Changed 10 months ago by teor

We could extend the OutboundBindAddress options to include a port range.

comment:3 Changed 8 months ago by nickm

Milestone: Tor: unspecified

Is there a way to do this in C other than to try over and over until you find a free port?

comment:4 in reply to:  3 Changed 8 months ago by teor

Replying to nickm:

Is there a way to do this in C other than to try over and over until you find a free port?

I think that's basically it.

If the range is large, we can bind to an arbitrary port, then close and re-bind if you don't like the OS choice.
If the range is small, we can choose a random port, and bind specifically to it, and then choose another port if it fails.

Sounds like a denial of service risk to me, either way.

comment:5 Changed 5 weeks ago by cypherpunks

My idea was initially specifying one outgoing port. It doesn't have to be a range. Why would this be a denial of service risk? I suspect no more than the listening port. At least if tor binds the port on startup.

It would make it possible to have Tor behind a stateless firewall that knows nothing about connection tracking.

As I mentioned, several torrent clients have this capability. And they are similar in that they have many concurrent connections. Obviously proper firewall rules must be in place.

Last edited 5 weeks ago by cypherpunks (previous) (diff)

comment:6 Changed 5 weeks ago by teor

The bind() system call can be used when initiating a connection as well. So we could implement this if we needed to.

comment:7 Changed 5 days ago by cypherpunks

i downvote for adding extra setting OROutPort but suggest following config options, addition of Outgoing port selection:

OutboundBindAddress 192.0.2.0:443
OutboundBindAddressOR 198.51.100.0:443
OutboundBindAddressExit 203.0.113.0:443

OutboundBindAddress [2001:DB8::1]:443
OutboundBindAddressOR [2001:DB8::1]:443
OutboundBindAddressExit [2001:DB8::1]:443

Note: See TracTickets for help on using tickets.