At nos-oignons we're running a couple of high-speed tor exit nodes, and since it's 2020, most of them have IPv6 addresses.
A particular node,
elenagb,
named after the Italian feminist writer and teacher Elena Gianini Belotti, hosted by Aquilenet was doing something
odd: the consensus thought that its exit policy was reject *:*, while we wanted it to be an exit node.
The only major difference with our other servers is that we have some issues with IPv4 attribution, we agreed with our hoster to only have IPv6 traffic exiting from the tor network. There was likely a configuration issue somehow, somewhere.
The torrc files looked like this, assuming that everything else (ORPort, address, …) was correct, can you spot the mistake?
# No exit in ipv4
ExitPolicy reject *:*
# Reduced exit policy in IPv6
ExitPolicy accept6 *:20-23 # FTP, SSH, telnet
…
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy reject6 *:*
The trick, as outlined in the ticket 16069 is that
reject *:* will reject both IPv6 and IPv4, for legacy reasons.
On this topic, the torrc's documentation states the following:
accept6andreject6only produce IPv6 exit policy entries. Using an IPv4 address withaccept6orreject6is ignored and generates a warning.accept/rejectallows either IPv4 or IPv6 addresses. Use*4as an IPv4 wildcard address, and*6as an IPv6 wildcard address.accept/reject *expands to matching IPv4 and IPv6 wildcard address rules.
So the correct configuration looks like this:
# No exit in ipv4
ExitPolicy reject *4:*
# Reduced exit policy in IPv6
ExitPolicy accept6 *:20-23 # FTP, SSH, telnet
ExitPolicy accept6 *:43 # WHOIS
…
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy accept6 *:64738 # Mumble
ExitPolicy reject6 *:*
An embarrassingly large portion of the evening was wasted, and of course, as soon as the mystery was solved, our beloved hoster told us that they solved the attribution issue, and that we're free to use IPv4 as well for the exit traffic.
This blogpost was also publised on Nos oignons' website, both in English and in French.