On Sun, 16 Sep 2007 17:18:49 -0400 misc <[EMAIL PROTECTED]> wrote: >On Sun, 16 Sep 2007 01:25:51 -0500 (CDT), Scott Bennett wrote: > >> I'd strongly recommend that you start with the tor overview >> document at >> >> https://tor.eff.org/overview >> >> paying special attention to the cartoon describing how circuits are built, >> which should begin to straighten you out on some of the other misconceptions >> you've indicated regarding tor. To learn about the process in greater >> detail, >> continue reading at >> >> http://tor.eff.org/svn/trunk/doc/spec/path-spec.txt >> >> To understand how tor clients (and servers) know what choices of servers >> are available, you need to read the directory protocol document(s) >> appropriate >> to the version of tor you run. For 0.1.2.1[67], read >> >> http://tor.eff.org/svn/trunk/doc/spec/dir-spec-v2.txt >> >> For 0.2.0.6-alpha, read the above and >> >> http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt > >Thanks Scott, > >I understand now that Tor client downloads network-status documents with >descriptors of available onion routers and then chooses the routers for >building circuits from that list. I understand that tor client connects >directly only to entry nodes, and never makes a direct connection with >middle or exit nodes (unless they're later used as entry nodes for >different circuits).
Well, almost. There is a sublety there in that "entry node" is not exactly synonymous with "entry guard". An entry node is simply the first node of a circuit and can be any tor server currently accepting connections on its ORPort. If one's torrc contains "UseEntryGuards 1" or that value is allowed to default to 1, then the tor client will limit the choices for the entry node for a new circuit to tor servers marked "Guard" in a status document. But it sounds like you have the idea now. > >I understand that I can use firewall to control the entry nodes used (the >firewall would prevent connecting to bad IPs, certain countries, etc). But Yes, that would work, but might be a real pain to live with because of all the delays you could encounter when tor tries to contact a server blocked by your firewall and has to wait for the timeout before trying to reach a different one. "ExcludeNodes" would be much faster because tor would know in advance not to bother connecting to those servers. The problem then becomes one of maintaining the list of excluded nodes. There is another option, though. You can specify a list of "EntryNodes" to use, as well as a list of "ExitNodes" in your torrc. These lists would be the pools from which servers would be chosen first for those circuit positions. If you set "StrictEntryNodes 1" and "StrictExitNodes 1", then those will be the only ones that can be chosen. You could choose a reasonably sized list of servers that meet your criteria for entry or exit nodes, and then just live with those, rather than trying to maintain a huge and dynamic list of nodes to exclude. >I still do NOT see how Tor connections to entry nodes can be controlled >with Squid. Can't help you there. I know nothing about squid. > >It would make sense to use Protowall (with a blocklist from bluetack.co.uk) >to prevent connections to bad IP ranges. That way entry nodes run by >various "bad" organizations will not be used. I don't know Protowall either. > >But I'm still left with a problem of how to avoid nodes from certain >countries. What especially bothers me is when ALL THREE NODES are chosen >from the same bad country. I would really like to avoid that. You don't really have to worry about the middle nodes. > >I hope solution for Windows will come soon. Give "EntryNodes" - "StrictEntryNodes" and "ExitNodes" - "StrictExitNodes" methods a try. If you pick, say, 25 - 50 nodes with long uptimes, you should be okay. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************