Hello, Am Mittwoch, den 07.01.2009, 02:35 -0600 schrieb Scott Bennett: > On Tue, 06 Jan 2009 17:30:57 +0100 Dominik Sandjaja <[email protected]> > wrote:
> >It seems as if UseEntryGuards=0 overwrites StrictEntryNodes and > >EntryNodes. > > > >Is this behavior intentional? As I understood it, UseEntryGuards should > >have lower priority than EntryNodes + StrictEntryNodes. If all is > >configured, the guards should be picked from the EntryNodes. Especially, > >as commodore64 even appears in the cached-descriptors file. > > > Huh. Interesting. Your interpretation is completely different from > mine, so I just reread the tor man page, and I now see that it is indeed > unclear. My interpretation was that UseEntryGuards would simply enable > or disable the feature of using entry guards at all. Also, I understood > that EntryNodes and StrictEntryNodes would only have any effect if the > entry guards feature were enabled. EntryNodes serves as a recommended > list of nodes to use as first hop relays, but the man page is unclear as > to whether EntryNodes has any effect at all when UseEntryGuards is disabled. that is exactly the problem. As you see, it leaves too much room for interpretation :-) > EntryNodes serves as the exclusive list of nodes to use for first hops > when StrictEntryNodes is enabled, but it's not clear what is supposed to > happen when it is enabled but no EntryNodes list is provided. Also, the > man page fails to note whether those relays listed in EntryNodes will only > be used if the directory authorities list them with the Guard flag or, > alternatively, EntryNodes provides a list to be used without any connection > to the Guard flag from the authorities. > So try turning UseEntryGuards back on while leaving the other two > statements untouched. My guess is that that should do what you want. I did this: > >If UseEntryGuards = 1 (default), I don't get a connection (commodore64 > >is no guard yet): > >Jan 06 17:26:23.816 [warn] Failed to find node for hop 0 of our path. > >Discarding this circuit. > >Jan 06 17:26:23.816 [info] onion_populate_cpath(): Generating cpath hop > >failed. Then, the UseEntryGuards is obeyed, as well as the StrictEntryNodes, but no connection can be made due to none of the nodes in EntryNodes is flagged as guard (yet). I will try to turn off the guard-check in the tor source and use that modified version, but nevertheless, the issue on how the options are handled should be clarified. > But this brings up another issue. I recently noticed a recurring > problem of broken connections part of the way through retrieval of image > files from one web site. The breakages only seemed to occur when a certain > high data rate relay was in the route selected by tor, so I added that > relay's name to ExcludeNodes. Unfortunately, that relay was already listed > as an entry guard in tor's state file, and tor appears not to take action > on the newly "excluded" node in response to a SIGHUP after the change was > made to torrc. I am temporarily blocking with outbound packets to the > apparently offending relay by means of pf, but that's a very ugly kluge I'd > rather not have to use. But I'm wondering whether removing those lines > from the state file just before the next time I start tor will allow tor > to exclude that node from future routes. My relay has been up without > other obvious troubles for nearly a month, and its version is recent enough > that I'm not inclined to restart it anytime soon unless some outside force > intervenes (e.g., failure of network connection, extended power outage, etc.), > but I really would like to know how to get tor to obey what I tell it in > ExcludeNodes. As above, this seems to be an issue with how the options are treated/interpreted. Again, clarification would be nice. Thanks for the answer! Greetings, Dominik

