wiki:doc/ReducedExitPolicy

The Reduced Exit Policy is an alternative to the default exit policy. It allows as many Internet services as possible while still blocking the majority of TCP ports. Currently, the policy allows approximately 65 ports. This reduces the odds that a bittorrent user will select your node.

Since bittorrent clients can be run on any port, and most of them pick random ports, every port you add to your exit policy increases the probability of a bittorrent client using your exit node to connect to a monitored peer that is listening on that port. This means that enabling ranges of ports is especially bad, unfortunately. Each new port adds 1/65535 (or even more if eg. the port numbers listen below are preferred to use for torrent traffic b/c they are well known now) to your risk of getting DMCA takedowns. The privileged ports (1-1024) have a smaller risk of getting DMCA takedowns.

This policy has been produced by scanning /etc/services, and checking various port lists around the net. This list has been carefully checked to ensure that none of these ports overlap with popular default ports for bittorrent clients. If you add to this list, please check this carefully too.

Also, it would be great if someone could comment each line to list the services that it allows.

Here are two comprehensive port lists to check new additions against P2P, to label unknown ports below, and to search for new ports to add:

You may also want to block services which you need to access from the node and block exit nodes:

Here is the policy: (If you're running an IPv6 exit, this policy applies to both IPv4 and IPv6.)

ExitPolicy accept *:20-21     # FTP
ExitPolicy accept *:22        # SSH
ExitPolicy accept *:23        # Telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79        # finger
ExitPolicy accept *:80-81     # HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:465       # URD for SSM (more often: an alternative SUBMISSION port, see 587)
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:587       # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here)
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos 
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-990   # FTP over SSL
ExitPolicy accept *:991       # Netnews Administration System
ExitPolicy accept *:992       # TELNETS
ExitPolicy accept *:993       # IMAP over SSL
ExitPolicy accept *:994       # IRCS
ExitPolicy accept *:995       # POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL  
ExitPolicy accept *:6697      # IRC SSL  
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy accept *:64738     # Mumble
ExitPolicy reject *:*

Herewith, an alternative Reduced-Reduced ExitPolicy to avoid Tor DNSBL and prevent some common outgoing port scanning / 'attack' ABUSE issues.

Reject Ports (Optional Advisory): 22, 23, 194, 465, 563, 587, 994, 2082, 3128, 3389, 6660-6669, 6679, 6697, 8000, 8080 and 9999

It should be noted that to avoid Tor DNSBL an exit nodes ORPort and/or DirPort must not use the 'default' ports 9001 or 9030. If your computer isn't running a webserver, and you haven't set AccountingMax, please consider changing your ORPort to 443 and/or your DirPort to 80.

ExitPolicy accept *:20-21     # FTP - File Transfer Protocol (data / control)
#ExitPolicy accept *:22       # SSH - Secure Shell, secure logins, file transfer (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:23       # Telnet - protocol-unencrypted text communications (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:43        # WHOIS - who is query and response protocol
ExitPolicy accept *:53        # DNS - Domain Name System
ExitPolicy accept *:79        # finger - Name/Finger user information protocol
ExitPolicy accept *:80-81     # HTTP - Hypertext Transfer Protocol / web browsing
ExitPolicy accept *:88        # kerberos - computer network authentication protocol
ExitPolicy accept *:110       # POP3 - Post Office Protocol v3 (receive email only) 
ExitPolicy accept *:143       # IMAP - Internet Message Access Protocol, management of email messages (receive email only)
#ExitPolicy accept *:194      # IRC - Internet Relay Chat (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:220       # IMAP3 - Internet Message Access Protocol v3 (receive email only)
ExitPolicy accept *:389       # LDAP - Lightweight Directory Access Protocol
ExitPolicy accept *:443       # HTTPS - Hypertext Transfer Protocol over TLS/SSL / secure web browsing
ExitPolicy accept *:464       # kpasswd - Kerberos Change/Set password
#ExitPolicy accept *:465      # URD for SSM / email SUBMISSION (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:531       # IRC/AIM - AOL Instant Messenger
ExitPolicy accept *:543-544   # Kerberos - klogin, Kerberos login / kshell, Kerberos Remote shell
ExitPolicy accept *:554       # RTSP - Real Time Streaming Protocol
#ExitPolicy accept *:563      # NNTP over SSL - Network News Transfer Protocol - (https://www.torproject.org/docs/faq#DefaultExitPorts)
#ExitPolicy accept *:587      # SMTP - email SUBMISSION (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:636       # LDAP - Lightweight Directory Access Protocol over TLS/SSL
ExitPolicy accept *:706       # SILC - Secure Internet Live Conferencing
ExitPolicy accept *:749       # kerberos - protocol administration
ExitPolicy accept *:873       # rsync - file synchronization protocol
ExitPolicy accept *:902-904   # VMware - Virtual Infrastructure Client / Console / Server
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-990   # FTP over TLS/SSL - File Transfer Protocol (data / control)
ExitPolicy accept *:991       # Netnews Administration System
ExitPolicy accept *:992       # Telnet protocol over TLS/SSL
ExitPolicy accept *:993       # IMAP over SSL - Internet Message Access Protocol over TLS/SSL (receive email only)
#ExitPolicy accept *:994      # IRCS - Internet Relay Chat SSL (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:995       # POP3 over SSL - Post Office Protocol v3 (receive email only)
ExitPolicy accept *:1194      # OpenVPN - Virtual Private Network
ExitPolicy accept *:1220      # QT Server Admin - QuickTime Streaming Server administration
ExitPolicy accept *:1293      # PKT-KRB-IPSec - Internet Protocol Security
ExitPolicy accept *:1500      # VLSI License Manager - Firewall (NT4-based) Remote Management / Server
ExitPolicy accept *:1533      # Sametime - IM—Virtual Places Chat MS SQL Server
ExitPolicy accept *:1677      # GroupWise - clients in client/server access mode
ExitPolicy accept *:1723      # PPTP - Point-to-Point Tunneling Protocol
ExitPolicy accept *:1755      # RTSP - Media Services (MMS, ms-streaming)
ExitPolicy accept *:1863      # MSNP - MS Notification Protocol, MS Messenger service / Instant Messaging clients
#ExitPolicy accept *:2082     # Infowave Mobility Server and CPanel default (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:2083      # Secure Radius Service (radsec) and CPanel default SSL
ExitPolicy accept *:2086-2087 # GNUnet, ELI - Web Host Manager default and Web Host Manager default SSL
ExitPolicy accept *:2095-2096 # NBX - CPanel default web mail and CPanel default SSL web mail
ExitPolicy accept *:2102-2104 # Zephyr - Project Athena Notification Service server / connection / host manager
#ExitPolicy accept *:3128     # SQUID - Web caches / client connection software - (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:3389     # MS WBT - Microsoft Terminal Server (RDP) - (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:3690      # SVN - Subversion version control system
ExitPolicy accept *:4321      # RWHOIS - Referral Who is Protocol
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC - Yahoo! Messenger
ExitPolicy accept *:5190      # ICQ and AOL Instant Messenger
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL - Extensible Messaging and Presence Protocol client connection
ExitPolicy accept *:5228      # Android Market - Google Play, Android Cloud, Google Cloud Messaging / HP Virtual Room Service
#ExitPolicy accept *:5900     # VNC - Virtual Network Computing (RDP) - (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:6660-6669 # IRC - Internet Relay Chat - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
#ExitPolicy accept *:6679     # IRC SSL - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
#ExitPolicy accept *:6697     # IRC SSL - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
#ExitPolicy accept *:8000     # iRDMI - often used instead of port 8080 - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:8008      # HTTP alternate / Server administration default
ExitPolicy accept *:8074      # Gadu-Gadu - instant messaging client
#ExitPolicy accept *:8080     # HTTP Proxies - Web proxy and caching server - (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE - HyperVM, Freenet, MAMP Server
ExitPolicy accept *:9418      # git - Git pack transfer service
#ExitPolicy accept *:9999     # distinct - Telnet control - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
ExitPolicy accept *:10000     # Network Data Management Protocol - Webmin, Web-based Unix/Linux system administration tool
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP - Voice and Video connections
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy accept *:64738     # Mumble - voice over IP
ExitPolicy reject *:*

In a test of the above Reduced-Reduced ExitPolicy, a new Tor Exit node running with the main (original) ReducedExitPolicy was listed in a Tor DNSBL within 24 hours of achieving an Exit Relay flag status.

However, a similar Tor Exit node running with the above Reduced-Reduced ExitPolicy seemingly remains unlisted from the same Tor DNSBL.

Last modified 9 days ago Last modified on Apr 21, 2016 11:03:38 AM