Changes between Version 39 and Version 40 of doc/ReducedExitPolicy


Ignore:
Timestamp:
Jun 16, 2018, 10:42:25 AM (3 months ago)
Author:
TrueNorth
Comment:

Added IoT Reduced-Exit Policy Example

Legend:

Unmodified
Added
Removed
Modified
  • doc/ReducedExitPolicy

    v39 v40  
    108108It should be noted that to avoid Tor DNSBL an exit nodes ORPort and/or DirPort must not use the 'default' ports 9001 or 9030. ''If your computer isn't running a webserver, and you haven't set AccountingMax, please consider changing your ORPort to 443 and/or your DirPort to 80.''
    109109
    110 Tor DNSBL = ''Every IP which is known to run a tor server and allow their clients to connect to one of the following ports get listed: 25, 194, 465, 587, 994, 6657, 6660-6670, 6697, 7000-7005, 7070, 8000-8004, 9000, 9001, 9998, 9999'' (source) - mxtoolbox.com/problem/blacklist/sectoor
     110Tor DNSBL = ''Every IP which is known to run a tor server and allow their clients to connect to one of the following ports get listed: 25, 194, 465, 587, 994, 6657, 6660-6670, 6697, 7000-7005, 7070, 8000-8004, 9000, 9001, 9998, 9999'' . (source) - mxtoolbox.com/problem/blacklist/sectoor
    111111
    112112{{{
     
    240240}}}
    241241
     242''Alpha'' test - IoT (Internet of Things) Port Recommendations / Additions
     243
     244{{{
     245ExitPolicy accept *:81          # HTTP Alt
     246ExitPolicy accept *:83          # MIT ML Device
     247ExitPolicy accept *:85          # MIT ML Device
     248ExitPolicy accept *:86          # BroadCam Video Streaming Server
     249ExitPolicy accept *:90          # dnsix Securit Attribute Token Map / Pointcast
     250ExitPolicy accept *:1043        # BOINC Client Control
     251ExitPolicy accept *:1103        # Adobe Server 2
     252ExitPolicy accept *:1113        # Licklider Transmission Protocol (IANA official) [RFC 5326]
     253ExitPolicy accept *:1883        # Message Queuing Telemetry (IANA official)
     254ExitPolicy accept *:4070        # Trivial IP Encryption (TrIPE)
     255ExitPolicy accept *:5004        # RTP media data [RFC 3551, RFC 4571]
     256ExitPolicy accept *:5287        # IP Camera viewer apps
     257ExitPolicy accept *:5675        # V5UA application port (IANA official) [RFC 3807]
     258ExitPolicy accept *:6880        # Dwyco Video Conferencing
     259ExitPolicy accept *:8502        # FTN Message Transfer Protocol (IANA official)
     260ExitPolicy accept *:8601        # Wavestore CCTV protocol
     261ExitPolicy accept *:8602        # XBConnect, Wavestore Notification protocol
     262}}}
     263
     264An EXAMPLE IoT Reduced-Exit Policy - Note : High-Bandwidth use with heavy-streaming / big-data services.
     265
     266{{{
     267ExitPolicy accept *:20-21       # FTP
     268#ExitPolicy accept *:22         # SSH (potential ABUSE - common port scan attacks map.norsecorp.com)
     269#ExitPolicy accept *:23         # Telnet (potential ABUSE - common port scan attacks map.norsecorp.com)
     270ExitPolicy accept *:43          # WHOIS
     271ExitPolicy accept *:53          # DNS
     272ExitPolicy accept *:79          # finger
     273ExitPolicy accept *:80-81       # HTTP, HTTP alt.
     274ExitPolicy accept *:83          # MIT ML Device
     275ExitPolicy accept *:85          # MIT ML Device
     276ExitPolicy accept *:86          # BroadCam Video Streaming Server
     277ExitPolicy accept *:88          # kerberos
     278ExitPolicy accept *:90          # dnsix Securit Attribute Token Map / Pointcast
     279ExitPolicy accept *:110         # POP3
     280ExitPolicy accept *:143         # IMAP
     281#ExitPolicy accept *:194        # IRC (REJECT to AVOID Tor DNSBL)
     282ExitPolicy accept *:220         # IMAP3
     283ExitPolicy accept *:389         # LDAP
     284ExitPolicy accept *:443         # HTTPS
     285ExitPolicy accept *:464         # kpasswd
     286#ExitPolicy accept *:465        # URD for SSM (REJECT to AVOID Tor DNSBL)
     287ExitPolicy accept *:531         # IRC/AIM
     288ExitPolicy accept *:543-544     # Kerberos
     289ExitPolicy accept *:554         # RTSP
     290#ExitPolicy accept *:563        # NNTP over SSL (AVOID - https://www.torproject.org/docs/faq#DefaultExitPorts)
     291#ExitPolicy accept *:587        # SMTP (REJECT to AVOID Tor DNSBL)
     292ExitPolicy accept *:636         # LDAP
     293ExitPolicy accept *:706         # SILC
     294ExitPolicy accept *:749         # kerberos
     295ExitPolicy accept *:873         # rsync
     296ExitPolicy accept *:902-904     # VMware
     297ExitPolicy accept *:981         # Remote HTTPS management for firewall
     298ExitPolicy accept *:989-990     # FTP over TLS/SSL
     299ExitPolicy accept *:991         # Netnews Administration System
     300ExitPolicy accept *:992         # Telnet protocol over TLS/SSL
     301ExitPolicy accept *:993         # IMAP over SSL (N.B. potential abuse - brute-force attacks - tornull.org)
     302#ExitPolicy accept *:994        # IRCS (REJECT to AVOID Tor DNSBL)
     303ExitPolicy accept *:995         # POP3 over SSL
     304ExitPolicy accept *:1043        # BOINC Client Control
     305ExitPolicy accept *:1103        # Adobe Server 2
     306ExitPolicy accept *:1113        # Licklider Transmission Protocol (IANA official) [RFC 5326]
     307ExitPolicy accept *:1194        # OpenVPN
     308ExitPolicy accept *:1220        # QT Server Admin
     309ExitPolicy accept *:1293        # PKT-KRB-IPSec
     310ExitPolicy accept *:1500        # VLSI License Manager
     311ExitPolicy accept *:1533        # Sametime
     312ExitPolicy accept *:1677        # GroupWise
     313ExitPolicy accept *:1723        # PPTP
     314ExitPolicy accept *:1755        # RTSP
     315ExitPolicy accept *:1863        # MSNP
     316ExitPolicy accept *:1883        # Message Queuing Telemetry (IANA official)
     317ExitPolicy accept *:2082        # Infowave Mobility Server and CPanel default
     318ExitPolicy accept *:2083        # Secure Radius Service (radsec) and CPanel default SSL
     319ExitPolicy accept *:2086-2087   # GNUnet, ELI
     320ExitPolicy accept *:2095-2096   # NBX
     321ExitPolicy accept *:2102-2104   # Zephyr
     322#ExitPolicy accept *:3128       # SQUID (potential ABUSE - common port scan attacks map.norsecorp.com)
     323#ExitPolicy accept *:3389       # MS WBT (potential ABUSE - common port scan attacks map.norsecorp.com)
     324ExitPolicy accept *:3690        # SVN
     325ExitPolicy accept *:4321        # RWHOIS
     326ExitPolicy accept *:4643        # Virtuozzo
     327ExitPolicy accept *:4070        # Trivial IP Encryption (TrIPE)
     328ExitPolicy accept *:5004        # RTP media data [RFC 3551, RFC 4571]
     329ExitPolicy accept *:5050        # MMCC
     330ExitPolicy accept *:5190        # ICQ and AOL Instant Messenger
     331ExitPolicy accept *:5222-5223   # XMPP, XMPP over SSL
     332ExitPolicy accept *:5228        # Android Market
     333ExitPolicy accept *:5287        # IP Camera viewer apps
     334ExitPolicy accept *:5675        # V5UA application port (IANA official) [RFC 3807]
     335#ExitPolicy accept *:5900       # VNC (potential ABUSE - common port scan attacks map.norsecorp.com)
     336#ExitPolicy accept *:6660-6669  # IRC (REJECT to AVOID Tor DNSBL)
     337#ExitPolicy accept *:6679       # IRC SSL (REJECT to AVOID Tor DNSBL)
     338#ExitPolicy accept *:6697       # IRC SSL (REJECT to AVOID Tor DNSBL)
     339ExitPolicy accept *:6880        # Dwyco Video Conferencing
     340#ExitPolicy accept *:8000       # iRDMI (REJECT to AVOID Tor DNSBL)
     341ExitPolicy accept *:8008        # HTTP alternate
     342ExitPolicy accept *:8074        # Gadu-Gadu
     343#ExitPolicy accept *:8080       # HTTP Proxies (potential ABUSE - common port scan attacks map.norsecorp.com)
     344ExitPolicy accept *:8082        # HTTPS Electrum Bitcoin port
     345ExitPolicy accept *:8087-8088   # Simplify Media SPP Protocol, Radan HTTP - Control Panel
     346ExitPolicy accept *:8232-8233   # Zcash
     347ExitPolicy accept *:8332-8333   # Bitcoin
     348ExitPolicy accept *:8443        # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
     349ExitPolicy accept *:8502        # FTN Message Transfer Protocol (IANA official)
     350ExitPolicy accept *:8601        # Wavestore CCTV protocol
     351ExitPolicy accept *:8602        # XBConnect, Wavestore Notification protocol
     352ExitPolicy accept *:8888        # HTTP Proxies, NewsEDGE, HUSH coin
     353ExitPolicy accept *:9418        # git - Git pack transfer service
     354#ExitPolicy accept *:9999       # distinct (REJECT to AVOID Tor DNSBL)
     355##ExitPolicy accept *:10000     # Network Data Management Protocol (N.B. potential abuse - RDP - tornull.org)
     356ExitPolicy accept *:11371       # OpenPGP hkp
     357ExitPolicy accept *:19294       # Google Voice
     358ExitPolicy accept *:19638       # Ensim control panel
     359ExitPolicy accept *:50002       # Electrum Bitcoin SSL
     360ExitPolicy accept *:64738       # Mumble - voice over IP
     361ExitPolicy reject *:*
     362}}}
     363
    242364----
    243365