[tor-dev] Blacklist all domains, whitelist .onion,.exit


I am trying to make a tor only allow traffic through onion services and exit nodes.

I would like to blacklist all domains first, as that is simple and does not need to be updated,
then whitelist all onions and exits.

Reason: I am hosting an onion service, but I don’t want any client traffic comming from that

I’ve played with MapAddress, VirtualAddrNetworkIPV4, AutomapHostsOnResolve,
AutomaptHostsSuffixes, but nothing seems to work as intended above.

MapAddress = does not report invalid conf, but the controller reports it is using
invalid sytax because "
" be source or target.
I tricked the controller with MapAddress .=, as every domain has a dot, the controller
didn’t report syntax error and this option is actually ignored.

If the above worked, then the next option would be the whitelisting:
MapAddress *.onion VIRTUAL_IP

Or possibly the AutomapHostsOnResolve 1 and AutomapHostsSuffixes .exit,.onion would
handle that part hopefully.

I did the lazy way, the antivirus way, I downloaded the IANA TLD domain list and used basic
string manipulation to make: MapAddress *.${domain}
And yes, as you may think, the list is huge that has to be on its own included conf file, and also
prone to be outdated every time a new TLD is created. But it works, in a dumb and prone to
mistakes, it works. Can this be done better? Not antivirus way of all is permitted, some known
items are blocked. I would prefer all is blocked and some items are permitted.

The real objective was to block all non .onion and .exit targets coming from a client, that the
controller reports with SOURCE_ADDR, but I didn’t find an option to MapAddress per client
or anything similar to that do manipulate addresses per client source, so that is why I started doing this for all tor traffic, which is not what I really want, but controlling targets per client.