mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Update private ExitPolicy in man page and torrcs for 10727, formatting
Update the definition of the private exit policy in the man page and torrcs. It didn't get merged correctly into the man page, and it was incomplete in the torrcs. (Unfortunately, we only reject the primary configured IPv4 and IPv6 addresses, not all configured IPv4 and IPv6 addresses.) Also fixup msn page formatting errors from changes in tickets 16069 and 17027, mainly unescaped *s.
This commit is contained in:
parent
7268525142
commit
b584152874
@ -1542,15 +1542,15 @@ is non-zero):
|
|||||||
reject any IPv4 traffic destined for MIT except for web.mit.edu, and accept
|
reject any IPv4 traffic destined for MIT except for web.mit.edu, and accept
|
||||||
any other IPv4 or IPv6 traffic. +
|
any other IPv4 or IPv6 traffic. +
|
||||||
+
|
+
|
||||||
Tor also allows IPv6 exit policy entries. For instance, "reject6 [FC00::]/7:*"
|
Tor also allows IPv6 exit policy entries. For instance, "reject6 [FC00::]/7:\*"
|
||||||
rejects all destinations that share 7 most significant bit prefix with
|
rejects all destinations that share 7 most significant bit prefix with
|
||||||
address FC00::. Respectively, "accept6 [C000::]/3:*" accepts all destinations
|
address FC00::. Respectively, "accept6 [C000::]/3:\*" accepts all destinations
|
||||||
that share 3 most significant bit prefix with address C000::. +
|
that share 3 most significant bit prefix with address C000::. +
|
||||||
+
|
+
|
||||||
accept6 and reject6 only produce IPv6 exit policy entries. Using an IPv4
|
accept6 and reject6 only produce IPv6 exit policy entries. Using an IPv4
|
||||||
address with accept6 or reject6 is ignored and generates a warning.
|
address with accept6 or reject6 is ignored and generates a warning.
|
||||||
accept/reject allows either IPv4 or IPv6 addresses. Use *4 as an IPv4
|
accept/reject allows either IPv4 or IPv6 addresses. Use \*4 as an IPv4
|
||||||
wildcard address, and *6 as an IPv6 wildcard address. accept/reject *
|
wildcard address, and \*6 as an IPv6 wildcard address. accept/reject *
|
||||||
expands to matching IPv4 and IPv6 wildcard address rules. +
|
expands to matching IPv4 and IPv6 wildcard address rules. +
|
||||||
+
|
+
|
||||||
To specify all IPv4 and IPv6 internal and link-local networks (including
|
To specify all IPv4 and IPv6 internal and link-local networks (including
|
||||||
@ -1558,9 +1558,12 @@ is non-zero):
|
|||||||
172.16.0.0/12, [::]/8, [FC00::]/7, [FE80::]/10, [FEC0::]/10, [FF00::]/8,
|
172.16.0.0/12, [::]/8, [FC00::]/7, [FE80::]/10, [FEC0::]/10, [FF00::]/8,
|
||||||
and [::]/127), you can use the "private" alias instead of an address.
|
and [::]/127), you can use the "private" alias instead of an address.
|
||||||
("private" always produces rules for IPv4 and IPv6 addresses, even when
|
("private" always produces rules for IPv4 and IPv6 addresses, even when
|
||||||
used with accept6/reject6.)
|
used with accept6/reject6.) +
|
||||||
These addresses are rejected by default (at the beginning of your exit
|
+
|
||||||
policy), along with your public IP address, unless you set the
|
Private addresses are rejected by default (at the beginning of your exit
|
||||||
|
policy), along with the configured primary public IPv4 and IPv6 addresses,
|
||||||
|
and any public IPv4 and IPv6 addresses on any interface on the relay.
|
||||||
|
These private addresses are rejected unless you set the
|
||||||
ExitPolicyRejectPrivate config option to 0. For example, once you've done
|
ExitPolicyRejectPrivate config option to 0. For example, once you've done
|
||||||
that, you could allow HTTP to 127.0.0.1 and block all other connections to
|
that, you could allow HTTP to 127.0.0.1 and block all other connections to
|
||||||
internal networks with "accept 127.0.0.1:80,reject private:\*", though that
|
internal networks with "accept 127.0.0.1:80,reject private:\*", though that
|
||||||
@ -1573,9 +1576,9 @@ is non-zero):
|
|||||||
+
|
+
|
||||||
Policies are considered first to last, and the first match wins. If you
|
Policies are considered first to last, and the first match wins. If you
|
||||||
want to allow the same ports on IPv4 and IPv6, write your rules using
|
want to allow the same ports on IPv4 and IPv6, write your rules using
|
||||||
accept/reject *. If you want to allow different ports on IPv4 and IPv6,
|
accept/reject \*. If you want to allow different ports on IPv4 and IPv6,
|
||||||
write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules using
|
write your IPv6 rules using accept6/reject6 \*6, and your IPv4 rules using
|
||||||
accept/reject *4. If you want to \_replace_ the default exit policy, end
|
accept/reject \*4. If you want to \_replace_ the default exit policy, end
|
||||||
your exit policy with either a reject \*:* or an accept \*:*. Otherwise,
|
your exit policy with either a reject \*:* or an accept \*:*. Otherwise,
|
||||||
you're \_augmenting_ (prepending to) the default exit policy. The default
|
you're \_augmenting_ (prepending to) the default exit policy. The default
|
||||||
exit policy is: +
|
exit policy is: +
|
||||||
|
@ -178,7 +178,7 @@
|
|||||||
## users will be told that those destinations are down.
|
## users will be told that those destinations are down.
|
||||||
##
|
##
|
||||||
## For security, by default Tor rejects connections to private (local)
|
## For security, by default Tor rejects connections to private (local)
|
||||||
## networks, including to the configured public IPv4 and IPv6 addresses,
|
## networks, including to the configured primary public IPv4 and IPv6 addresses,
|
||||||
## and any public IPv4 and IPv6 addresses on any interface on the relay.
|
## and any public IPv4 and IPv6 addresses on any interface on the relay.
|
||||||
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
|
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
|
||||||
## "exit enclaving".
|
## "exit enclaving".
|
||||||
|
@ -178,7 +178,7 @@
|
|||||||
## users will be told that those destinations are down.
|
## users will be told that those destinations are down.
|
||||||
##
|
##
|
||||||
## For security, by default Tor rejects connections to private (local)
|
## For security, by default Tor rejects connections to private (local)
|
||||||
## networks, including to the configured public IPv4 and IPv6 addresses,
|
## networks, including to the configured primary public IPv4 and IPv6 addresses,
|
||||||
## and any public IPv4 and IPv6 addresses on any interface on the relay.
|
## and any public IPv4 and IPv6 addresses on any interface on the relay.
|
||||||
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
|
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
|
||||||
## "exit enclaving".
|
## "exit enclaving".
|
||||||
|
Loading…
Reference in New Issue
Block a user