At nos-oignons we're running a couple of high-speed tor exit
nodes, and since it's 2020,
most of them have IPv6 addresses.
A particular node,
elenagb,
named after the Italian feminist writer and teacher Elena Gianini
Belotti, hosted by
Aquilenetwas doing something odd: the
consensus thought that its exit policy was reject *:*
, while we wanted it
to be an exit node.
The only major difference with our other servers is that we have some issues
with IPv4 attribution, we agreed with our hoster to only have IPv6 traffic
exiting from the tor network. There was likely a configuration issue
somehow, somewhere.
The torrc files looked like this, assuming that everything else (ORPort
,
address
, …) was correct, can you spot the mistake?
# No exit in ipv4
ExitPolicy reject *:*
# Reduced exit policy in IPv6
ExitPolicy accept6 *:20-23 # FTP, SSH, telnet
…
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy reject6 *:*
The trick, as outlined in the ticket 16069is that reject : will reject both IPv6 and IPv4, for legacy reasons.On this topic, the torrc's documentation states the following:
accept6 and reject6 only produce IPv6 exit policy entries. Using an IPv4 address with accept6 or reject6 is ignored and generates a warning. accept/reject allows either IPv4 or IPv6 addresses. Use 4 as an IPv4 wildcard address, and 6 as an IPv6 wildcard address. accept/reject * expands to matching IPv4 and IPv6 wildcard address rules.
So the correct configuration looks like this:
# No exit in ipv4
ExitPolicy reject *4:*
# Reduced exit policy in IPv6
ExitPolicy accept6 *:20-23 # FTP, SSH, telnet
ExitPolicy accept6 *:43 # WHOIS
…
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy reject6 *:*
An embarrassingly large portion of the evening was wasted, and of course, as soon as the mystery was solved, our beloved hoster told us that they solved the attribution issue, and that we're free to use IPv4 as well for the exit traffic.