Opened 21 months ago

Last modified 11 months ago

#29339 new enhancement

Bind outbound ports

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords:
Cc: spam@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be useful if a tor relay could be configured to use a specific local port range for outgoing traffic, or even bind to a single port.

This would make tor more manageable and flexible. Especially in a router/fw.

Just like with have ORPort for incoming traffic we could have OROutPort for outgoing ports.

Many popular torrent applications does this.

It would allow running tor behind a stateless firewall, which is very useful for low end routers with high bw Internet connections.

Child Tickets

Change History (7)

comment:1 Changed 21 months ago by dgoulet

Component: Core TorCore Tor/Tor

comment:2 Changed 21 months ago by teor

We could extend the OutboundBindAddress options to include a port range.

comment:3 Changed 19 months ago by nickm

Milestone: Tor: unspecified

Is there a way to do this in C other than to try over and over until you find a free port?

comment:4 in reply to:  3 Changed 19 months ago by teor

Replying to nickm:

Is there a way to do this in C other than to try over and over until you find a free port?

I think that's basically it.

If the range is large, we can bind to an arbitrary port, then close and re-bind if you don't like the OS choice.
If the range is small, we can choose a random port, and bind specifically to it, and then choose another port if it fails.

Sounds like a denial of service risk to me, either way.

comment:5 Changed 12 months ago by cypherpunks

My idea was initially specifying one outgoing port. It doesn't have to be a range. Why would this be a denial of service risk? I suspect no more than the listening port. At least if tor binds the port on startup.

It would make it possible to have Tor behind a stateless firewall that knows nothing about connection tracking.

As I mentioned, several torrent clients have this capability. And they are similar in that they have many concurrent connections. Obviously proper firewall rules must be in place.

Last edited 12 months ago by cypherpunks (previous) (diff)

comment:6 Changed 12 months ago by teor

The bind() system call can be used when initiating a connection as well. So we could implement this if we needed to.

comment:7 Changed 11 months ago by cypherpunks

i downvote for adding extra setting OROutPort but suggest following config options, addition of Outgoing port selection:

OutboundBindAddress 192.0.2.0:443
OutboundBindAddressOR 198.51.100.0:443
OutboundBindAddressExit 203.0.113.0:443

OutboundBindAddress [2001:DB8::1]:443
OutboundBindAddressOR [2001:DB8::1]:443
OutboundBindAddressExit [2001:DB8::1]:443

Note: See TracTickets for help on using tickets.