tornull.org - A Safer Tor Reduced Exit Policy
tornulst2rbxvbpd.onion - This website is NOT affiliated with the The Tor Project, Inc..
Tor Reduced-Reduced Exit Policy
Herewith, an example of our Tor Exit Nodes Reduced Exit Policy. The exit policy has been amended following our own research and experience of responding to 'abuse' complaints. The premise is simple - any allowed ports usefulness should outweigh the potential for misuse, for the majority of Tor users.
If a single port is unavailable for a requested service, then Tor users (or the Tor software itself) can freely select a new exit node which would allow said requested port or service. It is good for users privacy and anonymity for the Tor network to have a wide and diverse selection of available exit nodes.
References (clearnet links!) :
- https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
- https://blog.torproject.org/running-exit-node
- http://map.norsecorp.com (source referenced)
- https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers (source referenced)
---- Example Reduced-Reduced Exit Policy - LIST START ----
ExitRelay 1
## Insert the TorNull Advisory BL here (optional) and check for updates at least once per month.
ExitPolicy accept *:20-21 # FTP
#ExitPolicy accept *:22 # SSH (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:23 # Telnet (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79 # finger
ExitPolicy accept *:80-81 # HTTP, HTTP alt.
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:143 # IMAP
#ExitPolicy accept *:194 # IRC (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464 # kpasswd
#ExitPolicy accept *:465 # URD for SSM (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
#ExitPolicy accept *:563 # NNTP over SSL (AVOID - https://www.torproject.org/docs/faq#DefaultExitPorts)
#ExitPolicy accept *:587 # SMTP (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:636 # LDAP
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware
ExitPolicy accept *:981 # Remote HTTPS management for firewall
ExitPolicy accept *:989-990 # FTP over TLS/SSL
ExitPolicy accept *:991 # Netnews Administration System
ExitPolicy accept *:992 # Telnet protocol over TLS/SSL
ExitPolicy accept *:993 # IMAP over SSL (N.B. potential abuse - mail-server / brute-force attacks - tornull.org)
#ExitPolicy accept *:994 # IRCS (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:995 # POP3 over SSL
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:2082 # Infowave Mobility Server and CPanel default
ExitPolicy accept *:2083 # Secure Radius Service (radsec) and CPanel default SSL
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
#ExitPolicy accept *:3128 # SQUID (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:3389 # MS WBT (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643 # Virtuozzo
ExitPolicy accept *:5050 # MMCC
ExitPolicy accept *:5190 # ICQ and AOL Instant Messenger
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228 # Android Market
#ExitPolicy accept *:5900 # VNC (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:6660-6669 # IRC (REJECT to AVOID Tor DNSBL)
#ExitPolicy accept *:6679 # IRC SSL (REJECT to AVOID Tor DNSBL)
#ExitPolicy accept *:6697 # IRC SSL (REJECT to AVOID Tor DNSBL)
#ExitPolicy accept *:8000 # iRDMI (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:8008 # HTTP alternate
ExitPolicy accept *:8074 # Gadu-Gadu
#ExitPolicy accept *:8080 # HTTP Proxies (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
ExitPolicy accept *:8232-8233 # Zcash
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443 # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE, HUSH coin
ExitPolicy accept *:9418 # git - Git pack transfer service
#ExitPolicy accept *:9999 # distinct (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:10000 # Network Data Management Protocol (N.B. potential abuse - RDP - tornull.org)
ExitPolicy accept *:11371 # OpenPGP hkp
ExitPolicy accept *:19294 # Google Voice
ExitPolicy accept *:19638 # Ensim control panel
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
ExitPolicy accept *:64738 # Mumble - voice over IP
ExitPolicy reject *:*
---- Example Reduced-Reduced Exit Policy - LIST END ----
It should be noted that to avoid Tor DNSBL an exit nodes ORPort and/or DirPort must not use the 'default' ports 9001 or 9030. If your computer isn't running a webserver, and you haven't set AccountingMax, please consider changing your ORPort to 443 and/or your DirPort to 80.
- "Every IP which is known to run a tor server and allow their clients to connect to one of the following ports get listed: 25, 194, 465, 587, 994, 6657, 6660-6670, 6697, 7000-7005, 7070, 8000-8004, 9000, 9001, 9998, 9999" -
http://mxtoolbox.com/problem/blacklist/sectoor (source referenced)
An IoT (Internet of Things) Tor Exit Policy ...
tornull.org has conducted independent research in regards to actively used Tor ports and services in the 1-10000 port range. Whilst it appears true that the majority of ports in this range will see varying levels of P2P traffic (not all bad!) above the ports official or assigned use case - the following ports have been added to our own Tor Exit nodes;
ExitPolicy accept *:81 # HTTP Alt
ExitPolicy accept *:83 # MIT ML Device
ExitPolicy accept *:85 # MIT ML Device
ExitPolicy accept *:86 # BroadCam Video Streaming Server
ExitPolicy accept *:90 # dnsix Securit Attribute Token Map / Pointcast
ExitPolicy accept *:1043 # BOINC Client Control
ExitPolicy accept *:1103 # Adobe Server 2
ExitPolicy accept *:1113 # Licklider Transmission Protocol (IANA official) [RFC 5326]
ExitPolicy accept *:1883 # Message Queuing Telemetry (IANA official)
ExitPolicy accept *:4070 # Trivial IP Encryption (TrIPE)
ExitPolicy accept *:5004 # RTP media data [RFC 3551, RFC 4571]
ExitPolicy accept *:5287 # IP Camera viewer apps
ExitPolicy accept *:5675 # V5UA application port (IANA official) [RFC 3807]
ExitPolicy accept *:6880 # Dwyco Video Conferencing
ExitPolicy accept *:8502 # FTN Message Transfer Protocol (IANA official)
ExitPolicy accept *:8601 # Wavestore CCTV protocol
ExitPolicy accept *:8602 # XBConnect, Wavestore Notification protocol
ExitPolicy accept *:8883 # Secure MQTT (MQTT over TLS)
We are confident that the majority of these port additions should see legitimate Tor use over simply generating additional abuse issues and/or complaints.
---- Our Example IoT Exit Policy - LIST START ----
ExitRelay 1
## Insert the TorNull Advisory BL here (optional) and check for updates at least once per month.
ExitPolicy accept *:20-21 # FTP
#ExitPolicy accept *:22 # SSH (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:23 # Telnet (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79 # finger
ExitPolicy accept *:80-81 # HTTP, HTTP alt.
ExitPolicy accept *:83 # MIT ML Device
ExitPolicy accept *:85 # MIT ML Device
ExitPolicy accept *:86 # BroadCam Video Streaming Server
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:90 # dnsix Securit Attribute Token Map / Pointcast
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:143 # IMAP
#ExitPolicy accept *:194 # IRC (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464 # kpasswd
#ExitPolicy accept *:465 # URD for SSM (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
#ExitPolicy accept *:563 # NNTP over SSL (AVOID - https://www.torproject.org/docs/faq#DefaultExitPorts)
#ExitPolicy accept *:587 # SMTP (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:636 # LDAP
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware
ExitPolicy accept *:981 # Remote HTTPS management for firewall
ExitPolicy accept *:989-990 # FTP over TLS/SSL
ExitPolicy accept *:991 # Netnews Administration System
ExitPolicy accept *:992 # Telnet protocol over TLS/SSL
ExitPolicy accept *:993 # IMAP over SSL (N.B. potential abuse - mail-server / brute-force attacks - tornull.org)
#ExitPolicy accept *:994 # IRCS (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:995 # POP3 over SSL
ExitPolicy accept *:1043 # BOINC Client Control
ExitPolicy accept *:1103 # Adobe Server 2
ExitPolicy accept *:1113 # Licklider Transmission Protocol (IANA official) [RFC 5326]
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:1883 # Message Queuing Telemetry (IANA official)
ExitPolicy accept *:2082 # Infowave Mobility Server and CPanel default
ExitPolicy accept *:2083 # Secure Radius Service (radsec) and CPanel default SSL
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
#ExitPolicy accept *:3128 # SQUID (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:3389 # MS WBT (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643 # Virtuozzo
ExitPolicy accept *:4070 # Trivial IP Encryption (TrIPE)
ExitPolicy accept *:5004 # RTP media data [RFC 3551, RFC 4571]
ExitPolicy accept *:5050 # MMCC
ExitPolicy accept *:5190 # ICQ and AOL Instant Messenger
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228 # Android Market
ExitPolicy accept *:5287 # IP Camera viewer apps
ExitPolicy accept *:5675 # V5UA application port (IANA official) [RFC 3807]
#ExitPolicy accept *:5900 # VNC (potential ABUSE - common port scan attacks map.norsecorp.com)
#ExitPolicy accept *:6660-6669 # IRC (REJECT to AVOID Tor DNSBL)
#ExitPolicy accept *:6679 # IRC SSL (REJECT to AVOID Tor DNSBL)
#ExitPolicy accept *:6697 # IRC SSL (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:6880 # Dwyco Video Conferencing
#ExitPolicy accept *:8000 # iRDMI (REJECT to AVOID Tor DNSBL)
ExitPolicy accept *:8008 # HTTP alternate
ExitPolicy accept *:8074 # Gadu-Gadu
#ExitPolicy accept *:8080 # HTTP Proxies (potential ABUSE - common port scan attacks map.norsecorp.com)
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
ExitPolicy accept *:8232-8233 # Zcash
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443 # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
ExitPolicy accept *:8502 # FTN Message Transfer Protocol (IANA official)
ExitPolicy accept *:8601 # Wavestore CCTV protocol
ExitPolicy accept *:8602 # XBConnect, Wavestore Notification protocol
ExitPolicy accept *:8883 # Secure MQTT (MQTT over TLS)
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE, HUSH coin
ExitPolicy accept *:9418 # git - Git pack transfer service
#ExitPolicy accept *:9999 # distinct (REJECT to AVOID Tor DNSBL)
##ExitPolicy accept *:10000 # Network Data Management Protocol (N.B. potential abuse - RDP - tornull.org)
ExitPolicy accept *:11371 # OpenPGP hkp
ExitPolicy accept *:19294 # Google Voice
ExitPolicy accept *:19638 # Ensim control panel
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
ExitPolicy accept *:64738 # Mumble - voice over IP
ExitPolicy reject *:*
---- Our Example IoT Exit Policy - LIST END ----
## Donate Bitcoin :
## Donate Zcash : taddress :
## Donate Zcash : zaddress :
tornull.org - Example Reduced-Reduced Exit Policy is provided 'as-is'
Some rights reserved - We disclaim all copyright interest
tornull.org - is an Independent Research Project.
We are NOT affiliated with the The Tor Project, Inc..
Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License.
"Tor” and the "Onion Logo” are registered trademarks of The Tor Project, Inc.