|
|
|
The Reduced Exit Policy is an alternative to the default exit policy. It allows as many Internet services as possible while still blocking the majority of TCP ports. Currently, the policy allows approximately 65 ports. This reduces the odds that a bittorrent user will select your node.
|
|
|
|
|
|
|
|
Since bittorrent clients can be run on any port, and most of them pick random ports, every port you add to your exit policy increases the probability of a bittorrent client using your exit node to connect to a monitored peer that is listening on that port. This means that enabling ranges of ports is especially bad, unfortunately. Each new port adds 1/65535 (or even more if eg. the port numbers listen below are preferred to use for torrent traffic b/c they are well known now) to your risk of getting DMCA takedowns. The privileged ports (1-1024) have a smaller risk of getting DMCA takedowns.
|
|
|
|
|
|
|
|
This policy has been produced by scanning /etc/services, and checking various port lists around the net. This list has been carefully checked to ensure that none of these ports overlap with popular default ports for bittorrent clients. If you add to this list, please check this carefully too.
|
|
|
|
|
|
|
|
Also, it would be great if someone could comment each line to list the services that it allows.
|
|
|
|
|
|
|
|
Here are two comprehensive port lists to check new additions against P2P, to label unknown ports below, and to search for new ports to add:
|
|
|
|
|
|
|
|
* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
|
|
|
|
* http://www.speedguide.net/ports.php
|
|
|
|
|
|
|
|
You may also want to block services which you need to access from the node and block exit nodes:
|
|
|
|
|
|
|
|
* https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
|
|
|
|
|
|
|
|
Here is the policy: (If you're running an IPv6 exit, this policy applies to both IPv4 and IPv6.)
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:20-21 # FTP
|
|
|
|
ExitPolicy accept *:22 # SSH
|
|
|
|
ExitPolicy accept *:23 # Telnet
|
|
|
|
ExitPolicy accept *:43 # WHOIS
|
|
|
|
ExitPolicy accept *:53 # DNS
|
|
|
|
ExitPolicy accept *:79 # finger
|
|
|
|
ExitPolicy accept *:80-81 # HTTP
|
|
|
|
ExitPolicy accept *:88 # kerberos
|
|
|
|
ExitPolicy accept *:110 # POP3
|
|
|
|
ExitPolicy accept *:143 # IMAP
|
|
|
|
ExitPolicy accept *:194 # IRC
|
|
|
|
ExitPolicy accept *:220 # IMAP3
|
|
|
|
ExitPolicy accept *:389 # LDAP
|
|
|
|
ExitPolicy accept *:443 # HTTPS
|
|
|
|
ExitPolicy accept *:464 # kpasswd
|
|
|
|
ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587)
|
|
|
|
ExitPolicy accept *:531 # IRC/AIM
|
|
|
|
ExitPolicy accept *:543-544 # Kerberos
|
|
|
|
ExitPolicy accept *:554 # RTSP
|
|
|
|
ExitPolicy accept *:563 # NNTP over SSL
|
|
|
|
ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here)
|
|
|
|
ExitPolicy accept *:636 # LDAP over SSL
|
|
|
|
ExitPolicy accept *:706 # SILC
|
|
|
|
ExitPolicy accept *:749 # kerberos
|
|
|
|
ExitPolicy accept *:853 # DNS over TLS
|
|
|
|
ExitPolicy accept *:873 # rsync
|
|
|
|
ExitPolicy accept *:902-904 # VMware
|
|
|
|
ExitPolicy accept *:981 # Remote HTTPS management for firewall
|
|
|
|
ExitPolicy accept *:989-990 # FTP over SSL
|
|
|
|
ExitPolicy accept *:991 # Netnews Administration System
|
|
|
|
ExitPolicy accept *:992 # TELNETS
|
|
|
|
ExitPolicy accept *:993 # IMAP over SSL
|
|
|
|
ExitPolicy accept *:994 # IRCS
|
|
|
|
ExitPolicy accept *:995 # POP3 over SSL
|
|
|
|
ExitPolicy accept *:1194 # OpenVPN
|
|
|
|
ExitPolicy accept *:1220 # QT Server Admin
|
|
|
|
ExitPolicy accept *:1293 # PKT-KRB-IPSec
|
|
|
|
ExitPolicy accept *:1500 # VLSI License Manager
|
|
|
|
ExitPolicy accept *:1533 # Sametime
|
|
|
|
ExitPolicy accept *:1677 # GroupWise
|
|
|
|
ExitPolicy accept *:1723 # PPTP
|
|
|
|
ExitPolicy accept *:1755 # RTSP
|
|
|
|
ExitPolicy accept *:1863 # MSNP
|
|
|
|
ExitPolicy accept *:2082 # Infowave Mobility Server
|
|
|
|
ExitPolicy accept *:2083 # Secure Radius Service (radsec)
|
|
|
|
ExitPolicy accept *:2086-2087 # GNUnet, ELI
|
|
|
|
ExitPolicy accept *:2095-2096 # NBX
|
|
|
|
ExitPolicy accept *:2102-2104 # Zephyr
|
|
|
|
ExitPolicy accept *:3128 # SQUID
|
|
|
|
ExitPolicy accept *:3389 # MS WBT
|
|
|
|
ExitPolicy accept *:3690 # SVN
|
|
|
|
ExitPolicy accept *:4321 # RWHOIS
|
|
|
|
ExitPolicy accept *:4643 # Virtuozzo
|
|
|
|
ExitPolicy accept *:5050 # MMCC
|
|
|
|
ExitPolicy accept *:5190 # ICQ
|
|
|
|
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
|
|
|
|
ExitPolicy accept *:5228 # Android Market
|
|
|
|
ExitPolicy accept *:5900 # VNC
|
|
|
|
ExitPolicy accept *:6660-6669 # IRC
|
|
|
|
ExitPolicy accept *:6679 # IRC SSL
|
|
|
|
ExitPolicy accept *:6697 # IRC SSL
|
|
|
|
ExitPolicy accept *:8000 # iRDMI
|
|
|
|
ExitPolicy accept *:8008 # HTTP alternate
|
|
|
|
ExitPolicy accept *:8074 # Gadu-Gadu
|
|
|
|
ExitPolicy accept *:8080 # HTTP Proxies
|
|
|
|
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
|
|
|
|
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
|
|
|
|
ExitPolicy accept *:8232-8233 # Zcash
|
|
|
|
ExitPolicy accept *:8332-8333 # Bitcoin
|
|
|
|
ExitPolicy accept *:8443 # PCsync HTTPS
|
|
|
|
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE
|
|
|
|
ExitPolicy accept *:9418 # git
|
|
|
|
ExitPolicy accept *:9999 # distinct
|
|
|
|
ExitPolicy accept *:10000 # Network Data Management Protocol
|
|
|
|
ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)
|
|
|
|
ExitPolicy accept *:19294 # Google Voice TCP
|
|
|
|
ExitPolicy accept *:19638 # Ensim control panel
|
|
|
|
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
|
|
|
|
ExitPolicy accept *:64738 # Mumble
|
|
|
|
ExitPolicy reject *:*
|
|
|
|
}}}
|
|
|
|
|
|
|
|
|
|
|
|
Herewith, an alternative Reduced-Reduced ExitPolicy to avoid Tor DNSBL and prevent some common outgoing port scanning / 'attack' ABUSE issues.
|
|
|
|
|
|
|
|
Reject Ports (Optional Advisory): 22, 23, 194, 465, 563, 587, 994, 3128, 3389, 6660-6669, 6679, 6697, 8000, 8080 and 9999
|
|
|
|
|
|
|
|
It should be noted that to avoid Tor DNSBL an exit nodes ORPort and/or DirPort must not use the 'default' ports 9001 or 9030. ''If your computer isn't running a webserver, and you haven't set AccountingMax, please consider changing your ORPort to 443 and/or your DirPort to 80.''
|
|
|
|
|
|
|
|
Tor DNSBL = ''Every IP which is known to run a tor server and allow their clients to connect to one of the following ports get listed: 25, 194, 465, 587, 994, 6657, 6660-6670, 6697, 7000-7005, 7070, 8000-8004, 9000, 9001, 9998, 9999'' . (source) - mxtoolbox.com/problem/blacklist/sectoor
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:20-21 # FTP - File Transfer Protocol (data / control)
|
|
|
|
#ExitPolicy accept *:22 # SSH - Secure Shell, secure logins, file transfer (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:23 # Telnet - protocol-unencrypted text communications (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:43 # WHOIS - who is query and response protocol
|
|
|
|
ExitPolicy accept *:53 # DNS - Domain Name System
|
|
|
|
ExitPolicy accept *:79 # finger - Name/Finger user information protocol
|
|
|
|
ExitPolicy accept *:80-81 # HTTP - Hypertext Transfer Protocol / web browsing
|
|
|
|
ExitPolicy accept *:88 # kerberos - computer network authentication protocol
|
|
|
|
ExitPolicy accept *:110 # POP3 - Post Office Protocol v3 (receive email only)
|
|
|
|
ExitPolicy accept *:143 # IMAP - Internet Message Access Protocol, management of email messages (receive email only)
|
|
|
|
#ExitPolicy accept *:194 # IRC - Internet Relay Chat (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:220 # IMAP3 - Internet Message Access Protocol v3 (receive email only)
|
|
|
|
ExitPolicy accept *:389 # LDAP - Lightweight Directory Access Protocol
|
|
|
|
ExitPolicy accept *:443 # HTTPS - Hypertext Transfer Protocol over TLS/SSL / secure web browsing
|
|
|
|
ExitPolicy accept *:464 # kpasswd - Kerberos Change/Set password
|
|
|
|
#ExitPolicy accept *:465 # URD for SSM / email SUBMISSION (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:531 # IRC/AIM - AOL Instant Messenger
|
|
|
|
ExitPolicy accept *:543-544 # Kerberos - klogin, Kerberos login / kshell, Kerberos Remote shell
|
|
|
|
ExitPolicy accept *:554 # RTSP - Real Time Streaming Protocol
|
|
|
|
#ExitPolicy accept *:563 # NNTP over SSL - Network News Transfer Protocol - (https://www.torproject.org/docs/faq#DefaultExitPorts)
|
|
|
|
#ExitPolicy accept *:587 # SMTP - email SUBMISSION (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:636 # LDAP - Lightweight Directory Access Protocol over TLS/SSL
|
|
|
|
ExitPolicy accept *:706 # SILC - Secure Internet Live Conferencing
|
|
|
|
ExitPolicy accept *:749 # kerberos - protocol administration
|
|
|
|
ExitPolicy accept *:873 # rsync - file synchronization protocol
|
|
|
|
ExitPolicy accept *:902-904 # VMware - Virtual Infrastructure Client / Console / Server
|
|
|
|
ExitPolicy accept *:981 # Remote HTTPS management for firewall
|
|
|
|
ExitPolicy accept *:989-990 # FTP over TLS/SSL - File Transfer Protocol (data / control)
|
|
|
|
ExitPolicy accept *:991 # Netnews Administration System
|
|
|
|
ExitPolicy accept *:992 # Telnet protocol over TLS/SSL
|
|
|
|
ExitPolicy accept *:993 # IMAP over SSL - Internet Message Access Protocol over TLS/SSL (receive email only)
|
|
|
|
#ExitPolicy accept *:994 # IRCS - Internet Relay Chat SSL (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:995 # POP3 over SSL - Post Office Protocol v3 (receive email only)
|
|
|
|
ExitPolicy accept *:1194 # OpenVPN - Virtual Private Network
|
|
|
|
ExitPolicy accept *:1220 # QT Server Admin - QuickTime Streaming Server administration
|
|
|
|
ExitPolicy accept *:1293 # PKT-KRB-IPSec - Internet Protocol Security
|
|
|
|
ExitPolicy accept *:1500 # VLSI License Manager - Firewall (NT4-based) Remote Management / Server
|
|
|
|
ExitPolicy accept *:1533 # Sametime - IM—Virtual Places Chat MS SQL Server
|
|
|
|
ExitPolicy accept *:1677 # GroupWise - clients in client/server access mode
|
|
|
|
ExitPolicy accept *:1723 # PPTP - Point-to-Point Tunneling Protocol
|
|
|
|
ExitPolicy accept *:1755 # RTSP - Media Services (MMS, ms-streaming)
|
|
|
|
ExitPolicy accept *:1863 # MSNP - MS Notification Protocol, MS Messenger service / Instant Messaging clients
|
|
|
|
ExitPolicy accept *:2082 # Infowave Mobility Server and CPanel default
|
|
|
|
ExitPolicy accept *:2083 # Secure Radius Service (radsec) and CPanel default SSL
|
|
|
|
ExitPolicy accept *:2086-2087 # GNUnet, ELI - Web Host Manager default and Web Host Manager default SSL
|
|
|
|
ExitPolicy accept *:2095-2096 # NBX - CPanel default web mail and CPanel default SSL web mail
|
|
|
|
ExitPolicy accept *:2102-2104 # Zephyr - Project Athena Notification Service server / connection / host manager
|
|
|
|
#ExitPolicy accept *:3128 # SQUID - Web caches / client connection software - (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:3389 # MS WBT - Microsoft Terminal Server (RDP) - (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:3690 # SVN - Subversion version control system
|
|
|
|
ExitPolicy accept *:4321 # RWHOIS - Referral Who is Protocol
|
|
|
|
ExitPolicy accept *:4643 # Virtuozzo
|
|
|
|
ExitPolicy accept *:5050 # MMCC - Yahoo! Messenger
|
|
|
|
ExitPolicy accept *:5190 # ICQ and AOL Instant Messenger
|
|
|
|
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL - Extensible Messaging and Presence Protocol client connection
|
|
|
|
ExitPolicy accept *:5228 # Android Market - Google Play, Android Cloud, Google Cloud Messaging / HP Virtual Room Service
|
|
|
|
#ExitPolicy accept *:5900 # VNC - Virtual Network Computing (RDP) - (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:6660-6669 # IRC - Internet Relay Chat - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
#ExitPolicy accept *:6679 # IRC SSL - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
#ExitPolicy accept *:6697 # IRC SSL - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
#ExitPolicy accept *:8000 # iRDMI - often used instead of port 8080 - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:8008 # HTTP alternate / Server administration default
|
|
|
|
ExitPolicy accept *:8074 # Gadu-Gadu - instant messaging client
|
|
|
|
#ExitPolicy accept *:8080 # HTTP Proxies - Web proxy and caching server - (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
|
|
|
|
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
|
|
|
|
ExitPolicy accept *:8232-8233 # Zcash
|
|
|
|
ExitPolicy accept *:8332-8333 # Bitcoin
|
|
|
|
ExitPolicy accept *:8443 # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
|
|
|
|
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE - HyperVM, Freenet, MAMP Server
|
|
|
|
ExitPolicy accept *:9418 # git - Git pack transfer service
|
|
|
|
#ExitPolicy accept *:9999 # distinct - Telnet control - (REJECT to AVOID Tor DNSBL - www.sectoor.de/tor.php#en-listpolicy)
|
|
|
|
ExitPolicy accept *:10000 # Network Data Management Protocol - Webmin, Web-based Unix/Linux system administration tool
|
|
|
|
ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)
|
|
|
|
ExitPolicy accept *:19294 # Google Voice TCP - Voice and Video connections
|
|
|
|
ExitPolicy accept *:19638 # Ensim control panel
|
|
|
|
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
|
|
|
|
ExitPolicy accept *:64738 # Mumble - voice over IP
|
|
|
|
ExitPolicy reject *:*
|
|
|
|
}}}
|
|
|
|
|
|
|
|
In a test of the above Reduced-Reduced ExitPolicy, a new Tor Exit node running with the main (original) ReducedExitPolicy was listed in a Tor DNSBL within 24 hours of achieving an Exit Relay flag status.
|
|
|
|
|
|
|
|
However, a similar Tor Exit node running with the above Reduced-Reduced ExitPolicy seemingly remains unlisted from the same Tor DNSBL.
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
A lightweight Exit policy EXAMPLE with a focus towards officially registered ports from: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
|
|
|
|
|
|
|
|
Avoids common 'abuse' ports and limits port numbers above 1024
|
|
|
|
|
|
|
|
Enables useful ports for the majority of Tor users without Exit traffic related to; Remote Administration, Streaming services (high-bandwidth) and/or 'commercial' applications.
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:20-21 # FTP
|
|
|
|
ExitPolicy accept *:43 # WHOIS
|
|
|
|
ExitPolicy accept *:53 # DNS
|
|
|
|
ExitPolicy accept *:80 # HTTP
|
|
|
|
ExitPolicy accept *:110 # POP3
|
|
|
|
ExitPolicy accept *:143 # IMAP
|
|
|
|
ExitPolicy accept *:220 # IMAP3
|
|
|
|
ExitPolicy accept *:443 # HTTPS
|
|
|
|
ExitPolicy accept *:873 # rsync
|
|
|
|
ExitPolicy accept *:989-990 # FTPS
|
|
|
|
ExitPolicy accept *:991 # NAS Usenet
|
|
|
|
ExitPolicy accept *:992 # TELNETS
|
|
|
|
ExitPolicy accept *:993 # IMAPS
|
|
|
|
ExitPolicy accept *:995 # POP3S
|
|
|
|
ExitPolicy accept *:1194 # OpenVPN
|
|
|
|
ExitPolicy accept *:1293 # IPSec
|
|
|
|
ExitPolicy accept *:3690 # SVN Subversion
|
|
|
|
ExitPolicy accept *:4321 # RWHOIS
|
|
|
|
ExitPolicy accept *:5222-5223 # XMPP, XMPP SSL
|
|
|
|
ExitPolicy accept *:5228 # Android Market
|
|
|
|
ExitPolicy accept *:9418 # git
|
|
|
|
ExitPolicy accept *:11371 # OpenPGP hkp
|
|
|
|
ExitPolicy accept *:64738 # Mumble
|
|
|
|
ExitPolicy reject *:*
|
|
|
|
}}}
|
|
|
|
|
|
|
|
A basic Exit policy Example for Web Browsing (''only'') - help Tor Browser Bundle users !
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:53 # DNS
|
|
|
|
ExitPolicy accept *:80 # HTTP
|
|
|
|
ExitPolicy accept *:443 # HTTPS
|
|
|
|
ExitPolicy reject *:*
|
|
|
|
}}}
|
|
|
|
|
|
|
|
''Alpha'' test - IoT (Internet of Things) Port Recommendations / Additions
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:81 # HTTP Alt
|
|
|
|
ExitPolicy accept *:83 # MIT ML Device
|
|
|
|
ExitPolicy accept *:85 # MIT ML Device
|
|
|
|
ExitPolicy accept *:86 # BroadCam Video Streaming Server
|
|
|
|
ExitPolicy accept *:90 # dnsix Securit Attribute Token Map / Pointcast
|
|
|
|
ExitPolicy accept *:1043 # BOINC Client Control
|
|
|
|
ExitPolicy accept *:1103 # Adobe Server 2
|
|
|
|
ExitPolicy accept *:1113 # Licklider Transmission Protocol (IANA official) [RFC 5326]
|
|
|
|
ExitPolicy accept *:1883 # Message Queuing Telemetry (IANA official)
|
|
|
|
ExitPolicy accept *:4070 # Trivial IP Encryption (TrIPE)
|
|
|
|
ExitPolicy accept *:5004 # RTP media data [RFC 3551, RFC 4571]
|
|
|
|
ExitPolicy accept *:5287 # IP Camera viewer apps
|
|
|
|
ExitPolicy accept *:5675 # V5UA application port (IANA official) [RFC 3807]
|
|
|
|
ExitPolicy accept *:6880 # Dwyco Video Conferencing
|
|
|
|
ExitPolicy accept *:8502 # FTN Message Transfer Protocol (IANA official)
|
|
|
|
ExitPolicy accept *:8601 # Wavestore CCTV protocol
|
|
|
|
ExitPolicy accept *:8602 # XBConnect, Wavestore Notification protocol
|
|
|
|
}}}
|
|
|
|
|
|
|
|
An EXAMPLE IoT Reduced-Exit Policy - Note : High-Bandwidth use with heavy-streaming / big-data services.
|
|
|
|
|
|
|
|
{{{
|
|
|
|
ExitPolicy accept *:20-21 # FTP
|
|
|
|
#ExitPolicy accept *:22 # SSH (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:23 # Telnet (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:43 # WHOIS
|
|
|
|
ExitPolicy accept *:53 # DNS
|
|
|
|
ExitPolicy accept *:79 # finger
|
|
|
|
ExitPolicy accept *:80-81 # HTTP, HTTP alt.
|
|
|
|
ExitPolicy accept *:83 # MIT ML Device
|
|
|
|
ExitPolicy accept *:85 # MIT ML Device
|
|
|
|
ExitPolicy accept *:86 # BroadCam Video Streaming Server
|
|
|
|
ExitPolicy accept *:88 # kerberos
|
|
|
|
ExitPolicy accept *:90 # dnsix Securit Attribute Token Map / Pointcast
|
|
|
|
ExitPolicy accept *:110 # POP3
|
|
|
|
ExitPolicy accept *:143 # IMAP
|
|
|
|
#ExitPolicy accept *:194 # IRC (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:220 # IMAP3
|
|
|
|
ExitPolicy accept *:389 # LDAP
|
|
|
|
ExitPolicy accept *:443 # HTTPS
|
|
|
|
ExitPolicy accept *:464 # kpasswd
|
|
|
|
#ExitPolicy accept *:465 # URD for SSM (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:531 # IRC/AIM
|
|
|
|
ExitPolicy accept *:543-544 # Kerberos
|
|
|
|
ExitPolicy accept *:554 # RTSP
|
|
|
|
#ExitPolicy accept *:563 # NNTP over SSL (AVOID - https://www.torproject.org/docs/faq#DefaultExitPorts)
|
|
|
|
#ExitPolicy accept *:587 # SMTP (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:636 # LDAP
|
|
|
|
ExitPolicy accept *:706 # SILC
|
|
|
|
ExitPolicy accept *:749 # kerberos
|
|
|
|
ExitPolicy accept *:873 # rsync
|
|
|
|
ExitPolicy accept *:902-904 # VMware
|
|
|
|
ExitPolicy accept *:981 # Remote HTTPS management for firewall
|
|
|
|
ExitPolicy accept *:989-990 # FTP over TLS/SSL
|
|
|
|
ExitPolicy accept *:991 # Netnews Administration System
|
|
|
|
ExitPolicy accept *:992 # Telnet protocol over TLS/SSL
|
|
|
|
ExitPolicy accept *:993 # IMAP over SSL (N.B. potential abuse - brute-force attacks - tornull.org)
|
|
|
|
#ExitPolicy accept *:994 # IRCS (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:995 # POP3 over SSL
|
|
|
|
ExitPolicy accept *:1043 # BOINC Client Control
|
|
|
|
ExitPolicy accept *:1103 # Adobe Server 2
|
|
|
|
ExitPolicy accept *:1113 # Licklider Transmission Protocol (IANA official) [RFC 5326]
|
|
|
|
ExitPolicy accept *:1194 # OpenVPN
|
|
|
|
ExitPolicy accept *:1220 # QT Server Admin
|
|
|
|
ExitPolicy accept *:1293 # PKT-KRB-IPSec
|
|
|
|
ExitPolicy accept *:1500 # VLSI License Manager
|
|
|
|
ExitPolicy accept *:1533 # Sametime
|
|
|
|
ExitPolicy accept *:1677 # GroupWise
|
|
|
|
ExitPolicy accept *:1723 # PPTP
|
|
|
|
ExitPolicy accept *:1755 # RTSP
|
|
|
|
ExitPolicy accept *:1863 # MSNP
|
|
|
|
ExitPolicy accept *:1883 # Message Queuing Telemetry (IANA official)
|
|
|
|
ExitPolicy accept *:2082 # Infowave Mobility Server and CPanel default
|
|
|
|
ExitPolicy accept *:2083 # Secure Radius Service (radsec) and CPanel default SSL
|
|
|
|
ExitPolicy accept *:2086-2087 # GNUnet, ELI
|
|
|
|
ExitPolicy accept *:2095-2096 # NBX
|
|
|
|
ExitPolicy accept *:2102-2104 # Zephyr
|
|
|
|
#ExitPolicy accept *:3128 # SQUID (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:3389 # MS WBT (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:3690 # SVN
|
|
|
|
ExitPolicy accept *:4321 # RWHOIS
|
|
|
|
ExitPolicy accept *:4643 # Virtuozzo
|
|
|
|
ExitPolicy accept *:4070 # Trivial IP Encryption (TrIPE)
|
|
|
|
ExitPolicy accept *:5004 # RTP media data [RFC 3551, RFC 4571]
|
|
|
|
ExitPolicy accept *:5050 # MMCC
|
|
|
|
ExitPolicy accept *:5190 # ICQ and AOL Instant Messenger
|
|
|
|
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
|
|
|
|
ExitPolicy accept *:5228 # Android Market
|
|
|
|
ExitPolicy accept *:5287 # IP Camera viewer apps
|
|
|
|
ExitPolicy accept *:5675 # V5UA application port (IANA official) [RFC 3807]
|
|
|
|
#ExitPolicy accept *:5900 # VNC (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
#ExitPolicy accept *:6660-6669 # IRC (REJECT to AVOID Tor DNSBL)
|
|
|
|
#ExitPolicy accept *:6679 # IRC SSL (REJECT to AVOID Tor DNSBL)
|
|
|
|
#ExitPolicy accept *:6697 # IRC SSL (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:6880 # Dwyco Video Conferencing
|
|
|
|
#ExitPolicy accept *:8000 # iRDMI (REJECT to AVOID Tor DNSBL)
|
|
|
|
ExitPolicy accept *:8008 # HTTP alternate
|
|
|
|
ExitPolicy accept *:8074 # Gadu-Gadu
|
|
|
|
#ExitPolicy accept *:8080 # HTTP Proxies (potential ABUSE - common port scan attacks map.norsecorp.com)
|
|
|
|
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
|
|
|
|
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
|
|
|
|
ExitPolicy accept *:8232-8233 # Zcash
|
|
|
|
ExitPolicy accept *:8332-8333 # Bitcoin
|
|
|
|
ExitPolicy accept *:8443 # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
|
|
|
|
ExitPolicy accept *:8502 # FTN Message Transfer Protocol (IANA official)
|
|
|
|
ExitPolicy accept *:8601 # Wavestore CCTV protocol
|
|
|
|
ExitPolicy accept *:8602 # XBConnect, Wavestore Notification protocol
|
|
|
|
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE, HUSH coin
|
|
|
|
ExitPolicy accept *:9418 # git - Git pack transfer service
|
|
|
|
#ExitPolicy accept *:9999 # distinct (REJECT to AVOID Tor DNSBL)
|
|
|
|
##ExitPolicy accept *:10000 # Network Data Management Protocol (N.B. potential abuse - RDP - tornull.org)
|
|
|
|
ExitPolicy accept *:11371 # OpenPGP hkp
|
|
|
|
ExitPolicy accept *:19294 # Google Voice
|
|
|
|
ExitPolicy accept *:19638 # Ensim control panel
|
|
|
|
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
|
|
|
|
ExitPolicy accept *:64738 # Mumble - voice over IP
|
|
|
|
ExitPolicy reject *:*
|
|
|
|
}}}
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
Malicious botnet (ransomware, crimeware and malware) traffic over Tor is unfortunately becoming more common, particularly on ports 80 and 443.
|
|
|
|
|
|
|
|
Some random person on the Internet made an ExitPolicy he thinks is good and updates it at https://tornull.org.
|
|
|
|
This person is not affiliated with the Tor Project. While his suggested ExitPolicy lines may be helpful and not harmful,
|
|
|
|
his suggested client (not exit relay) torrc edits are most likely actively harmful to user anonymity and should not be used.
|
|
|
|
|
|
|
|
Also see: Tor Abuse Templates - https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates |