Commit 42b8fb5a authored by Roger Dingledine's avatar Roger Dingledine
Browse files

Exit policies now reject connections that are addressed to a

relay's public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address.


svn:r12459
parent 462643c7
Changes in version 0.2.0.11-alpha - 2007-11-??
o Security fixes:
- Exit policies now reject connections that are addressed to a
relay's public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address.
Changes in version 0.2.0.10-alpha - 2007-11-10
......
......@@ -739,11 +739,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8,
169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
172.16.0.0/12), you can use the "private" alias instead of an address.
These addresses are rejected by default (at the beginning of your
exit policy) unless you set the ExitPolicyRejectPrivate config option
exit policy), along with your public IP address, unless you set the
ExitPolicyRejectPrivate config option
to 0. For example, once you've done that, you could allow HTTP to
127.0.0.1 and block all other connections to internal networks with
"accept
127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more
"accept 127.0.0.1:80,reject private:*", though that may also allow
connections to your own computer that are addressed to its public
(external) IP address. See RFC 1918 and RFC 3330 for more
details about internal and reserved IP address space.
This directive can be specified multiple times so you don't have to put
......@@ -773,7 +775,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
.LP
.TP
\fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP
Reject all private (local) networks at the beginning of your exit
Reject all private (local) networks, along with your own public IP
address, at the beginning of your exit
policy. See above entry on ExitPolicy. (Default: 1)
.LP
.TP
......
......@@ -3356,9 +3356,8 @@ void policies_parse_from_options(or_options_t *options);
int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b);
addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr,
uint16_t port, addr_policy_t *policy);
int policies_parse_exit_policy(config_line_t *cfg,
addr_policy_t **dest,
int rejectprivate);
int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
int rejectprivate, const char *local_address);
int exit_policy_is_general_exit(addr_policy_t *policy);
int policy_is_reject_star(addr_policy_t *policy);
int getinfo_helper_policies(control_connection_t *conn,
......
......@@ -228,7 +228,7 @@ validate_addr_policies(or_options_t *options, char **msg)
*msg = NULL;
if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
options->ExitPolicyRejectPrivate))
options->ExitPolicyRejectPrivate, NULL))
REJECT("Error in ExitPolicy entry.");
/* The rest of these calls *append* to addr_policy. So don't actually
......@@ -556,10 +556,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest)
*/
int
policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
int rejectprivate)
int rejectprivate, const char *local_address)
{
if (rejectprivate)
if (rejectprivate) {
append_exit_policy_string(dest, "reject private:*");
if (local_address) {
char buf[POLICY_BUF_LEN];
tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address);
append_exit_policy_string(dest, buf);
}
}
if (parse_addr_policy(cfg, dest, -1))
return -1;
append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
......
......@@ -1215,7 +1215,8 @@ router_rebuild_descriptor(int force)
ri->bandwidthcapacity = hibernating ? 0 : rep_hist_bandwidth_assess();
policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
options->ExitPolicyRejectPrivate);
options->ExitPolicyRejectPrivate,
ri->address);
if (desc_routerinfo) { /* inherit values */
ri->is_valid = desc_routerinfo->is_valid;
......
......@@ -2935,7 +2935,7 @@ test_policies(void)
compare_addr_to_addr_policy(0xc0a80102, 2, policy));
policy2 = NULL;
test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1));
test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL));
test_assert(policy2);
test_assert(!exit_policy_is_general_exit(policy));
......@@ -2955,7 +2955,7 @@ test_policies(void)
line.key = (char*)"foo";
line.value = (char*)"accept *:80,reject private:*,reject *:*";
line.next = NULL;
test_assert(0 == policies_parse_exit_policy(&line, &policy, 0));
test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL));
test_assert(policy);
test_streq(policy->string, "accept *:80");
test_streq(policy->next->string, "reject *:*");
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment