From fc6316f04f759dcd3bb45789ca1e2e31670126f4 Mon Sep 17 00:00:00 2001 From: SlackCoder Date: Sat, 22 Jan 2022 13:17:03 -0500 Subject: Add tor --- tor/README | 38 +++++++++ tor/README.SLACKWARE | 22 ++++++ tor/doinst.sh | 28 +++++++ tor/logrotate.tor | 15 ++++ tor/rc.tor | 125 +++++++++++++++++++++++++++++ tor/slack-desc | 19 +++++ tor/tor.SlackBuild | 152 ++++++++++++++++++++++++++++++++++++ tor/tor.info | 10 +++ tor/torrc | 217 +++++++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 626 insertions(+) create mode 100644 tor/README create mode 100644 tor/README.SLACKWARE create mode 100644 tor/doinst.sh create mode 100644 tor/logrotate.tor create mode 100644 tor/rc.tor create mode 100644 tor/slack-desc create mode 100644 tor/tor.SlackBuild create mode 100644 tor/tor.info create mode 100644 tor/torrc diff --git a/tor/README b/tor/README new file mode 100644 index 0000000..69be208 --- /dev/null +++ b/tor/README @@ -0,0 +1,38 @@ +Tor is a toolset for a wide range of organizations and people that want +to improve their safety and security on the Internet. Using Tor can help +you anonymize web browsing and publishing, instant messaging, IRC, +SSH, and other applications that use the TCP protocol. Tor also +provides a platform on which software developers can build new +applications with built-in anonymity, safety, and privacy features. + +This script requires a 'tor' user/group to exist before running. +The recommended UID/GID is 220. You can create these like so: + groupadd -g 220 tor + useradd -u 220 -g 220 -c "The Onion Router" -d /dev/null \ + -s /bin/false tor + +You can pass another user/group to the script; this is however, less +safe: + TOR_USER=nobody TOR_GROUP=nogroup sh tor.SlackBuild + +The following can be used to start/stop tor automatically: +In file /etc/rc.d/rc.local, add following + if [ -x /etc/rc.d/rc.tor ]; then + /etc/rc.d/rc.tor start + fi + +In /etc/rc.d/rc.local_shutdown, add following + if [ -x /etc/rc.d/rc.tor ]; then + /etc/rc.d/rc.tor stop + fi + +torsocks is an optional dependency. See README.SLACKWARE for more +information. + +optional dependencies: +- nacl may provide faster performance on 32-bit systems. + +Take a look at README.SLACKWARE for important notes and read also very +carefully the essential hints that tor developers give you + +https://www.torproject.org/download/download-easy.html.en#warning diff --git a/tor/README.SLACKWARE b/tor/README.SLACKWARE new file mode 100644 index 0000000..70b0f82 --- /dev/null +++ b/tor/README.SLACKWARE @@ -0,0 +1,22 @@ +The tor-tsocks.conf is no longer distributed or installed. +The tor project recommends that tsocks users use torsocks instead. +As of tor-0.2.1.30-2 and later, rc.tor init script has been updated to get rid +of hardcoded values present inside torctl command script. To successfully use +the newer script be sure to check changes to both /etc/rc.d/rc.tor.new and +/etc/tor/torrc.new as some configurations values are now required and no +longer passed on the command line. The original TorProject.org torrc +configuration is always available as /etc/tor/torrc.sample. + +Since Tor 0.3.4.1-alpha the directory authority subsystem has been +modularized and can be disabled by passing --disable-module-dirauth to the +./configure script. This means that Tor compiled that way cannot run as a +directory authority or bridge authority. + +Starting from Tor 0.4.2.5 this is the default for the tor.SlackBuild. + +Also, since Tor 0.4.2.5 contrib/dist/torctl has been removed by upstream. +Have a look at https://bugs.torproject.org/30550 + +In case your relay does not start after the upgrade to Tor 0.4.5.6+ +make sure your system is IPv6 ready. Have a look at +https://lists.torproject.org/pipermail/tor-relays/2021-February/019299.html diff --git a/tor/doinst.sh b/tor/doinst.sh new file mode 100644 index 0000000..06cbc45 --- /dev/null +++ b/tor/doinst.sh @@ -0,0 +1,28 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.tor.new +config etc/tor/torrc.new +config etc/logrotate.d/tor.new + diff --git a/tor/logrotate.tor b/tor/logrotate.tor new file mode 100644 index 0000000..0b8f128 --- /dev/null +++ b/tor/logrotate.tor @@ -0,0 +1,15 @@ +/var/log/tor/*log { + su @USER@ @GROUP@ + daily + rotate 5 + compress + delaycompress + missingok + notifempty + create 0644 tor tor + sharedscripts + postrotate + /etc/rc.d/rc.tor reload > /dev/null + endscript +} + diff --git a/tor/rc.tor b/tor/rc.tor new file mode 100644 index 0000000..53ab0ed --- /dev/null +++ b/tor/rc.tor @@ -0,0 +1,125 @@ +#!/bin/sh +# +# tor - The Onion Router +# +# Startup/shutdown script for Tor. +# +# Written by Marco Bonetti , heavily based on +# contrib/tor.sh, contrib/torctl and Debian init script. + +# Check available file descriptors +if [ -r /proc/sys/fs/file-max ]; then + SYSTEM_MAX=`cat /proc/sys/fs/file-max` + if [ "$SYSTEM_MAX" -gt "80000" ]; then + MAX_FILEDESCRIPTORS=32768 + elif [ "$SYSTEM_MAX" -gt "40000" ]; then + MAX_FILEDESCRIPTORS=16384 + elif [ "$SYSTEM_MAX" -gt "10000" ]; then + MAX_FILEDESCRIPTORS=8192 + else + MAX_FILEDESCRIPTORS=1024 + cat << EOF + +Warning: Your system has very few filedescriptors available in total. + +Maybe you should try raising that by adding 'fs.file-max=100000' to your +/etc/sysctl.conf file. Feel free to pick any number that you deem appropriate. +Then run 'sysctl -p'. See /proc/sys/fs/file-max for the current value, and +file-nr in the same directory for how many of those are used at the moment. + +EOF + fi +else + MAX_FILEDESCRIPTORS=8192 +fi + +tor_start() { + mkdir -p /var/run/tor + chown tor.tor /var/run/tor + if [ -n "$MAX_FILEDESCRIPTORS" ]; then + echo -n "Raising maximum number of filedescriptors (ulimit -n) to $MAX_FILEDESCRIPTORS" + if ulimit -n "$MAX_FILEDESCRIPTORS" ; then + echo "..." + else + echo ": FAILED." + fi + fi + echo "Starting Tor..." + /usr/bin/tor +} + +tor_stop() { + echo -n "Stopping Tor..." + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo " not running." + exit 0 + fi + if kill -15 $PID; then + echo " stopped." + else + sleep 1 + if kill -9 $PID; then + echo " killed." + else + echo " error!" + exit 1 + fi + fi +} + +tor_reload() { + echo -n "Reloading Tor..." + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo " not running." + exit 0 + fi + if kill -1 $PID; then + echo " reloaded." + else + echo " error!" + exit 1 + fi +} + +tor_status() { + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo "Not running." + exit 1 + elif kill -0 $PID; then + echo "Running." + exit 0 + else + echo "PID file /var/run/tor/tor.pid present but PID $PID is not running." + exit 1 + fi +} + +case "$1" in + start) + tor_start + ;; + + stop) + tor_stop + ;; + + restart) + tor_stop + sleep 3 + tor_start + ;; + + reload) + tor_reload + ;; + + status) + tor_status + ;; + + *) + echo "Usage: $0 (start|stop|restart|reload|status)" +esac diff --git a/tor/slack-desc b/tor/slack-desc new file mode 100644 index 0000000..caffdc2 --- /dev/null +++ b/tor/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +tor: tor (The second-generation onion router) +tor: +tor: Tor is a toolset for a wide range of organizations and people that +tor: want to improve their safety and security on the Internet. Using Tor +tor: can help you anonymize web browsing and publishing, instant messaging, +tor: IRC, SSH, and other applications that use the TCP protocol. Tor also +tor: provides a platform on which software developers can build new +tor: applications with built-in anonymity, safety, and privacy features. +tor: +tor: https://www.torproject.org/ +tor: diff --git a/tor/tor.SlackBuild b/tor/tor.SlackBuild new file mode 100644 index 0000000..3a26324 --- /dev/null +++ b/tor/tor.SlackBuild @@ -0,0 +1,152 @@ +#!/bin/bash +# +# Slackware build script for tor +# +# Copyright 2011-2012 Marco Bonetti +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Updated by Donald Cooley dfc@warpmail.net +# Updated by Fernando Lopez Jr. fernando.lopezjr@gmail.com +# Updated by Markus Reichelt slackbuilds@mareichelt.de + +cd $(dirname $0) ; CWD=$(pwd) + +PRGNAM=tor +VERSION=${VERSION:-0.4.6.9} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +PKGTYPE=${PKGTYPE:-tgz} + +# Select tor's default user/group +TOR_USER=${TOR_USER:-tor} +TOR_UID=${TOR_UID:-220} +TOR_GROUP=${TOR_GROUP:-tor} +TOR_GID=${TOR_GID:-220} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" + exit 0 +fi + +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +bailout() { + echo " You must have a $TOR_USER user and $TOR_GROUP group to run this script. " + echo " Something like this should suffice for most systems: " + echo " # groupadd -g $TOR_GID $TOR_GROUP " + echo " # useradd -u $TOR_UID -g $TOR_GID -c \"The Onion Router\" -d /dev/null -s /bin/false $TOR_USER " + exit 1 +} + +# Bail if user and/or group isn't valid on your system +# uid=220 is suggested to avoid conflicts with other SBo packages, +# but it's your call: http://slackbuilds.org/uid_gid.txt +if ! grep -q "^$TOR_USER:" /etc/passwd; then + bailout +elif ! grep -q "^$TOR_GROUP:" /etc/group; then + bailout +fi + +set -eu + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +./configure \ + --disable-module-dirauth \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --with-tor-user=$TOR_USER \ + --with-tor-group=$TOR_GROUP \ + --build=$ARCH-slackware-linux + +make +make install-strip DESTDIR=$PKG + +# Create/install stuff that makes tor work (better) +mkdir -p $PKG/var/{run,log,lib}/tor +chown $TOR_USER:$TOR_GROUP $PKG/var/{run,log,lib}/tor +chmod 0700 $PKG/var/lib/tor +install -D -m 0755 $CWD/rc.tor $PKG/etc/rc.d/rc.tor.new +# this has been removed in tor-0.4.2.5, uncomment if you need this +# in earlier Tor versions +#install -D -m 0755 contrib/dist/torctl $PKG/usr/bin/torctl +install -D -m 0644 $CWD/torrc $PKG/etc/tor/torrc.new +mkdir -p $PKG/etc/logrotate.d +sed -e "s,@USER@,$TOR_USER," -e "s,@GROUP@,$TOR_GROUP," $CWD/logrotate.tor \ + > $PKG/etc/logrotate.d/tor.new + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $(find $PKG/usr/man -type l) ; do ln -s $(readlink $i).gz $i.gz ; rm $i ; done + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/spec +cp -a ChangeLog INSTALL LICENSE README ReleaseNotes \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE diff --git a/tor/tor.info b/tor/tor.info new file mode 100644 index 0000000..bda5285 --- /dev/null +++ b/tor/tor.info @@ -0,0 +1,10 @@ +PRGNAM="tor" +VERSION="0.4.6.9" +HOMEPAGE="https://www.torproject.org/" +DOWNLOAD="https://dist.torproject.org/tor-0.4.6.9.tar.gz" +MD5SUM="6a8bb8f6c6f7c6d80a50de8f9f8be8c4" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="" +MAINTAINER="Markus Reichelt" +EMAIL="slackbuilds@mareichelt.de" diff --git a/tor/torrc b/tor/torrc new file mode 100644 index 0000000..d1ada46 --- /dev/null +++ b/tor/torrc @@ -0,0 +1,217 @@ +## Configuration file for a typical Tor user +## Last updated 22 September 2015 for Tor 0.2.7.3-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc +## +## This is a custom Slackware torrc. The original Tor Project torrc file is +## still available as /etc/tor/torrc.sample + +## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't +## configure one below. Set "SOCKSPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. +SOCKSPort 127.0.0.1:9050 # what port to open for local application connections +#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SOCKSPolicy is set, we accept +## all (and only) requests that reach a SOCKSPort. Untrusted users who +## can access your SOCKSPort may be able to learn about the connections +## you make. +#SOCKSPolicy accept 192.168.0.0/16 +#SOCKSPolicy accept6 FC00::/7 +#SOCKSPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/tor.log +Log notice file /var/log/tor/tor.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## On startup, setuid to this user and setgid to their primary group. +User tor + +## On startup, write our PID to /var/run/tor/tor.pid. +## On clean shutdown, remove /var/run/tor/tor.pid. +PidFile /var/run/tor/tor.pid + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +## Nicknames must be between 1 and 19 characters inclusive, and must +## contain only the characters [a-zA-Z0-9]. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 75 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "40 GB" may allow up to 80 GB total before +## hibernating. +## +## Set a maximum of 40 gigabytes each way per period. +#AccountingMax 40 GBytes +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. +## +## If you want to allow the same ports on IPv4 and IPv6, write your rules +## using accept/reject *. If you want to allow different ports on IPv4 and +## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules +## using accept/reject *4. +## +## If you want to _replace_ the default exit policy, end this with either a +## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) +## the default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to the configured primary public IPv4 and IPv6 addresses, +## and any public IPv4 and IPv6 addresses on any interface on the relay. +## See the man page entry for ExitPolicyRejectPrivate if you want to allow +## "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy +#ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + -- cgit v1.2.3