From fdb58381afa317ab9639dffa59f4155395b68718 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Sep 2017 10:33:41 -0400 Subject: Bug: Ensure tor exit is disabled properly Simply disabling exit policies is not enough to disable an exit node, it also needs to be explicitly disabled. This may change in future versions of tor, but for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This fixes #8863. --- puppet/modules/site_tor/manifests/disable_exit.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp index 078f80ae..85c24bfc 100644 --- a/puppet/modules/site_tor/manifests/disable_exit.pp +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -1,7 +1,13 @@ +# ensure that the tor relay is not configured as an exit node class site_tor::disable_exit { tor::daemon::exit_policy { 'no_exit_at_all': reject => [ '*:*' ]; } +# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given. + tor::daemon::snippet { + 'disable_exit': + content => 'ExitRelay 0'; + } } -- cgit v1.2.3