A particular node,
named after the Italian feminist writer and teacher Elena Gianini Belotti, hosted by Aquilenet was doing something
odd: the consensus thought that its exit policy was
reject *:*, while we wanted it to be an exit node.
The only major difference with our other servers is that we have some issues with IPv4 attribution, we agreed with our hoster to only have IPv6 traffic exiting from the tor network. There was likely a configuration issue somehow, somewhere.
torrc files looked like this, assuming that everything else (
address, …) was correct, can you spot the mistake?
# No exit in ipv4 ExitPolicy reject *:* # Reduced exit policy in IPv6 ExitPolicy accept6 *:20-23 # FTP, SSH, telnet … ExitPolicy accept6 *:64738 # Mumble ExitPolicy reject6 *:*
The trick, as outlined in the ticket 16069 is that
reject *:* will reject both IPv6 and IPv4, for legacy reasons.
On this topic, the
torrc's documentation states the following:
reject6only produce IPv6 exit policy entries. Using an IPv4 address with
reject6is ignored and generates a warning.
rejectallows either IPv4 or IPv6 addresses. Use
*4as an IPv4 wildcard address, and
*6as an IPv6 wildcard address.
reject *expands to matching IPv4 and IPv6 wildcard address rules.
So the correct configuration looks like this:
# No exit in ipv4 ExitPolicy reject *4:* # Reduced exit policy in IPv6 ExitPolicy accept6 *:20-23 # FTP, SSH, telnet ExitPolicy accept6 *:43 # WHOIS … ExitPolicy accept6 *:64738 # Mumble ExitPolicy accept6 *:64738 # Mumble ExitPolicy reject6 *:*
An embarrassingly large portion of the evening was wasted, and of course, as soon as the mystery was solved, our beloved hoster told us that they solved the attribution issue, and that we're free to use IPv4 as well for the exit traffic.