Yes, I agree 100% with Danny's summary here, so I have to concede, I did not
found enough evidence that Comcast blocks connections *to* tor relays. I
apologize. Specifically, I did some tests with ronqtorrelays at risley.net ,
who is a Comcast Business customer, and he had no problem initiating TCP
connection to my relay, even to tor-unrelated port.
About the other direction - from tor relays or exits to Comcast:
> https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security
> mentions "Blocks remote access to smart devices from known dangerous
> sources.". What do you mean by dangerous sources, and does it include tor
> relays or exits?
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions
> "Blocks remote access to smart devices from known dangerous sources.". What
> do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and
> that the average consumer user of the Advanced Security service does not want
> that. I suspect if someone wants this, it’s best to toggle Advanced Security
> off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions
> "Blocks remote access to smart devices from known dangerous sources.". What
> do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and
> that the average consumer user of the Advanced Security service does not want
> that. I suspect if someone wants this, it’s best to toggle Advanced Security
> off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions
> "Blocks remote access to smart devices from known dangerous sources.". What
> do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and
> that the average consumer user of the Advanced Security service does not want
> that. I suspect if someone wants this, it’s best to toggle Advanced Security
> off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions
> "Blocks remote access to smart devices from known dangerous sources.". What
> do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and
> that the average consumer user of the Advanced Security service does not want
> that. I suspect if someone wants this, it’s best to toggle Advanced Security
> off.
>
> It may be down to the fact that “unknown” users connect to the relay/exit and
> that the average consumer user of the Advanced Security service does not want
> that. I suspect if someone wants this, it’s best to toggle Advanced Security
> off.
Seems you do not understand the difference between exit relay and non-exit
relay. (Nor does the persons who implemented this blocking of traffic from tor
relays - this would explain a lot.)
I would first reformulate: unknown and anonymous users may route their traffic
through tor, including some attacks (DDoS or worse), and this traffic will look
like originating from tor *exit* relay. But this is only true about *exit*
relays (and then only about some ports, but let's keep it simple). Non-exit
relays only send tor-related traffic to other tor relays, never to other
destinations. So when a non-exit relay R connects to a computer X, which does
not run anything tor-related, you can be sure this connection is not
tor-related and is really initiated by R. If we had a tor exit relay E, then
connection E->X could be initiated by E or by a bad guy B who is abusing tor's
anonymity. And X cannot tell the difference, so it is reasonable to assume the
worst and block this. The traffic from B would really follow the path
B->R1->R2->E->X, where R1 are R2 non-exit relays. You may argue that this bad
traffic goes through R1 and R2, but so what? Blocking E->X is sufficient, but
you are also blocking R1->X and R2->X.
Here is a basic explanation of relay types by the Tor project itself:
https://community.torproject.org/relay/types-of-relays/ .
Q to community: Is there some better official document explaining difference
between exit and non-exit relay? It could be more trustworthy than my
explanation (and better written). Most of what I found is about tor exits, like
https://community.torproject.org/relay/community-resources/tor-abuse-templates/
.
I can see how a random website does not bother to understand this - see reports
in this thread about a bank blocking tor relays. But ISP's core competency
should be networks, so I would expect an ISP to understand the real dangers and
apply more nuance than "let's block everything tor-related".
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
