Advanced Tor Exit Relay Exit Policy Configuration

Exit policies in torrc use accept/reject rules with IP:port patterns: ExitPolicy accept *:80 (allow HTTP to any destination), ExitPolicy reject 192.168.0.0/16:* (block all ports to RFC1918 addresses), ExitPolicy reject *:25 (block SMTP port 25, prevents spam). Rules are evaluated in order, first match wins. End with ExitPolicy reject *:* to block anything not explicitly allowed, or ExitPolicy accept *:* (default open exit). Key syntax: * matches any IP or any port, IP/prefix notation for ranges, comma-separated port ranges: accept *:80,443,8080. The default ExitPolicy if not specified depends on the relay's ExitPolicy setting - without any ExitPolicy lines, Tor uses the default exit policy from the consensus.

A responsible starting exit policy for operators who want to run an exit relay but manage abuse risk: block ports with highest abuse risk (SMTP/25 for spam, port 6667 for IRC if your ISP is sensitive to IRC-based abuse), block RFC1918 and CGNAT addresses (prevents internal network access if your VPS has internal network routes): reject 10.0.0.0/8:*, reject 172.16.0.0/12:*, reject 192.168.0.0/16:*, reject 100.64.0.0/10:*. Allow common web ports: accept *:80,443. Allow common application ports: accept *:8080,8443,8888. Allow DNS: accept *:53. This creates a 'web-focused exit' that supports normal internet browsing without the highest-risk protocols. More restrictive than default open exit but more useful than a middle relay.

Cloud providers and hosting companies generate expensive abuse reports when Tor exit relays are used to attack their infrastructure (scanning, brute force, credential stuffing). Pre-emptively blocking specific cloud provider IP ranges reduces this abuse. AWS IP ranges: download from ip-ranges.amazonaws.com/ip-ranges.json and extract IPv4 ranges. Automate with a script: generate reject statements for each range. Similar lists exist for Google Cloud, Azure, Cloudflare, DigitalOcean, and Linode/Akamai. The EFF's Tor exit guidelines suggest blocking major cloud provider attack target ranges. Be conservative: only block ranges where you have received abuse reports or where you are reasonably certain the traffic is attacker-generated, not legitimate user traffic. Blocking too broadly reduces the exit relay's utility.

Different exit policy strategies serve different operator goals: (1) minimal exit (just ports 80, 443): simplest, least abuse, allows only web browsing. Useful for operators who want to contribute but have strict abuse handling requirements. (2) web+ exit (80, 443, 8080, 53, common app ports): allows typical internet browsing plus common application ports. Covers most legitimate user traffic. (3) common ports exit (most ports above 1024, block 25/465/587 SMTP): allows most application traffic while specifically blocking email relay abuse. (4) open exit (allow all): maximum utility, maximum abuse exposure. Only appropriate for operators with experience handling abuse reports and hosting providers experienced with exit relay abuse. The Tor Project recommends the reduced exit policy (built-in) as a starting point: reject *:25, reject *:119, reject *:135-139, reject *:445, reject *:563, reject *:1214, reject *:4661-4666, reject *:6346-6429, reject *:6699, reject *:6881-6999, accept *:*.

Exit relay operators receive abuse reports forwarded by hosting providers. An organized response process: (1) when receiving an abuse report about a specific port or service (SSH brute force on port 22, SMTP relay abuse on port 25), add that port to your reject policy if not already blocked, (2) maintain a log of received abuse reports and corresponding policy changes, (3) if a specific IP range generates repeated abuse reports, add that range to your reject list, (4) maintain the ARIN/RIPE/APNIC abuse contact on your ContactInfo so reporters contact the Tor abuse network rather than your ISP, (5) respond to ISP abuse reports with a standard Tor exit relay response template explaining what a Tor exit relay is. The EFF provides a standard Tor exit relay abuse response template at eff.org/torchallenge. Using this template reduces ISP escalation significantly.