[Tor-BSD] The offer of diversity as it could really be delivered by all of us.

Vinícius Zavam egypcio at googlemail.com
Wed Nov 18 10:50:17 EST 2015 

2015-11-18 12:20 GMT-03:00, Tim Wilson-Brown - teor <teor2345 at gmail.com>:
>
>> On 19 Nov 2015, at 01:58, George Rosamond <george at ceetonetechnology.com>
>> wrote:
>>
>> Vinícius Zavam:
>>> During this time getting closer and closer to the Tor and TDP
>>
>> FYI, TDP is a project separate from this list, although TDP is here :)
>>
>>> communities, I noticed that one tiny detail is being forgotten by many
>>> people involved in these projects/families:
>>>
>>> " Many Tor users are stuck behind firewalls that only let them browse
>>> the web, and this change will let them reach your Tor relay. If you
>>> are already using ports 80 and 443, other useful ports are 22, 110,
>>> and 143. "
>>>
>>> Source: https://www.torproject.org/docs/tor-relay-debian#after
>>>
>>> Let's keep up a better diversity of open/reachable ports!
>>> "/etc/services" is our friend; take time to see how you can help, by
>>> changing one or two ports in your relay(s) config ;3
>>
>> Right, and I never considered this before you raised this a few weeks
>> ago.  I've always kept standard on tcp/9001 and tcp/9030 for the
>> directory port.
>>
>> There must be lots of obvious cases in which only 80 and 443 are allowed
>> as egress traffic.
>>
>> Are there other considerations on this?
>
> Hosting providers often assume that "well-known" ports are used for certain
> kinds of traffic, and then block or modify that traffic.
>
> For example, the provider for one of the directory authorities installed a
> "transparent" caching proxy in front of its directory port 80.
> (It appears they were trying to help with the load.)
> But the caching proxy was adding extra HTTP headers, caching headers that
> should never be cached, and occasionally corrupting the headers. There was
> also some weird interaction between the proxy and the redirect from the
> authority's old IP address.
>
> While we're working on a fix to this issue with directory caching, I'm sure
> providers do other, less obvious things with traffic on well-known ports.
>
> Tim

We have more than 65530 ports. Just chose one or two.

Suggestions (only port numbers)?

21 (FTP), 43 & 63 (Whois), 110 (POP3), 123 (NTP), 143 (IMAP), 587
(Submission), 873 (RSync), 1194 (OpenVPN), 1723 (PPTP), 3690 (SVN),
5222 (XMPP), 5269 (XMPP), 9418 (Git), ... 995 (POP3+SSL), 993
(IMAP+SSL), ... 5060 / 5061 (SIP), ...

Even ports like 20 (FTP-data) could be used; there are lots of
miss-configured rules on "strict firewalls" allowing people to reach
that.


-- 
Vinícius Zavam
keybase.io/egypcio/key.asc

More information about the Tor-BSD mailing list