[tor-relays] Reduced exit and not IPv4 exit traffic at all

Hello all,
how can I used a reduced exit policy and don't allow any IPv4 exit traffic?

The following line in the top of all the ExitPolicy lines in torrc seems not to work.
ExitPolicy reject 0.0.0.0:*

What is the order I needed here, first "reject" and then accept or the other way around?

Reduced Exit policy like here:

Webtropia was a bit unhappy lately when UCEprotect listed the whole /24 for some reason I still don't understand.

But then I thought, why not disable IPv4 exit traffic, there is so many IPv6 resources that a IPv6 only Exit should still be fine.

Thanks
yl

how can I used a reduced exit policy and don't allow any IPv4 exit traffic?

I don't think IPv6 only works. AFAIK, exits must have at least port 80,443 and
53 open on IPv4.

The following line in the top of all the ExitPolicy lines in torrc seems
not to work.
ExitPolicy reject 0.0.0.0:*

What are you putting them for? All private addresses are rejected by default.

What is the order I needed here, first "reject" and then accept or the
other way around?

No, as always, first come first served.

Reduced Exit policy like here:
ReducedExitPolicy · Wiki · Legacy / Trac · GitLab

You can also take it like this. I would also delete port 22, then there would
be fewer abuse mails.

Before changing exit policies, read 'man torrc' carefully. SERVER OPTIONS
ExitPolicy* and IPv6Exit.

But then I thought, why not disable IPv4 exit traffic, there is so many
IPv6 resources that a IPv6 only Exit should still be fine.

Unfortunately, the IPv6 traffic on my relays is often close to 0 for months.

Hi ,

I would try the following:

ExitPolicy accept [::]:20-21 # FTP, SSH, telnet
ExitPolicy accept [::]:23 # FTP, SSH, telnet
ExitPolicy accept [::]:43 # WHOIS
[..]
ExitPolicy reject *:*

I would recommend that you block outgoing email ports instead of trying to block out all IPv4 traffic. I've never had any problems with ISPs and I ban outgoing email and SSH.
I'm not happy with it, but it's better than being discredited by ISPs.

Afaik this is not possible. To get the exit flag you need both IPv4 and IPv6 or only IPv4, but IPv6 only relays are not possible.

Greetings

Hello,

how can I used a reduced exit policy and don't allow any IPv4 exit traffic?

tor's man page has the information on how to specify any IPv4:

*4 to denote all IPv4 addresses, and *6 to denote all IPv6 addresses.

I don't think IPv6 only works. AFAIK, exits must have at least port 80,443 and
53 open on IPv4.

You can run a relay that does allow exiting to IPv6 and not IPv4 but it will
not get the exit flag.

kind regards,
nusenu

Hello

ExitPolicy accept [::]:20-21 # FTP, SSH, telnet
ExitPolicy accept [::]:23 # FTP, SSH, telnet
ExitPolicy accept [::]:43 # WHOIS
[..]
ExitPolicy reject *:*

Oh yes, I will try that. Now that you write it here I could also keep some other IPv4 ports open that way. I need to check this out. Also need to test it by choosing "my" exit I guess.

I would recommend that you block outgoing email ports instead of trying to block out all IPv4 traffic. I've never had any problems with ISPs and I ban outgoing email and SSH.
I'm not happy with it, but it's better than being discredited by ISPs.

E-Mail is banned, I think the reason for my problems was forum spam, so some spam done via 80/443.

yl

ah, there is is buried. I didn't know that there is man torrc, I always looked that up online in the 2019 documentation, or before that in the standard doc. online.

I will try what happens if I apply a config with IPv6 exit only, I guess it could work now.
At least I need to close 80/443, as that seems to be the source for spam, I assume it is some webform or forum spam that got the server listed in the spam block list.

yl

Which means what? Will it be use for exit at all?

Would be sad to loose this 300MBit/s fully used Exit.

yl