Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Manpage updates for proposal 171 (isolated streams)

Nick Mathewson 14 years ago
parent
172f8acbe7
commit
891ccd3cd0
1 changed files with 80 additions and 25 deletions
Split View Show Diff Stats
  1. 80 25
      doc/tor.1.txt

+ 80 - 25
doc/tor.1.txt
View File 

@@ -464,7 +464,7 @@ CLIENT OPTIONS
 
 --------------
 
 
 The following options are useful only for clients (that is, if
 
-**SocksPort** is non-zero):
 
+**SocksPort**, **TransPort**, **DNSPort**, or **NATDPort** is non-zero):
 
 
 **AllowInvalidNodes** **entry**|**exit**|**middle**|**introduction**|**rendezvous**|**...**::
 
     If some Tor servers are obviously not working right, the directory
 
@@ -682,17 +682,50 @@ The following options are useful only for clients (that is, if
 
     the same circuit. Currently, two addresses are "too close" if they lie in
 
     the same /16 range. (Default: 1)
 
 
-**SocksPort** __PORT__|**auto**::
 
-    Advertise this port to listen for connections from Socks-speaking
 
+**SOCKSPort** \['address':]__port__|**auto** [_isolation flags_]::
 
+    Open this port to listen for connections from SOCKS-speaking
 
     applications. Set this to 0 if you don't want to allow application
 
     connections via SOCKS. Set it to "auto" to have Tor pick a port for
 
-    you. (Default: 9050)
 
-
 
-**SocksListenAddress** __IP__[:__PORT__]::
 
+    you. This directive can be specified multiple times to bind
 
+    to multiple addresses/ports. (Default: 9050) +
 
+ +
 
+    The _isolation flags_ arguments give Tor rules for which streams
 
+    received on this SOCKSPort are allowed to share circuits with one
 
+    another.  Recognized isolation flags are:
 
+    **IsolateClientAddr**;;
 
+        Don't share a circuits with streams from a different
 
+        client address.  (On by default and strongly recommended;
 
+        you can disable it with **NoIsolateClientAddr**.)
 
+    **IsolateSOCKSAuth**;;
 
+        Don't share a circuits with streams for which different
 
+        SOCKS authentication was provided. (On by default;
 
+        you can disable it with **NoIsolateSOCKSAuth**.)
 
+        [NOT YET IMPLEMENTED.]
 
+    **IsolateClientProtocol**;;
 
+        Don't share circuits with streams using a different protocol.
 
+        (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections,
 
+        and DNSPort requests are all considered to be different protocols.)
 
+    **IsolateDestPort**;;
 
+        Don't share a circuits with streams targetting a different
 
+        destination port.
 
+    **IsolateDestAddr**;;
 
+        Don't share a circuits with streams targetting a different
 
+        destination address.
 
+    **SessionGroup=**__INT__;;
 
+        If no other isolation rules would prevent it, allow streams
 
+        on this port to share circuits with streams from every other
 
+        port with the same session group.  (By default, streams received
 
+        on different ports are always isolated from one another.)
 
+
 
+**SOCKSListenAddress** __IP__[:__PORT__]::
 
     Bind to this address to listen for connections from Socks-speaking
 
     applications. (Default: 127.0.0.1) You can also specify a port (e.g.
 
     192.168.0.1:9100). This directive can be specified multiple times to bind
 
-    to multiple addresses/ports.
 
+    to multiple addresses/ports.  (DEPRECATED: As of 0.2.3.x-alpha, you can
 
+    now use multiple SOCKSPort entries, and provide addresses for SOCKSPort
 
+    entries, so SOCKSListenAddress no longer has a purpose.  For backward
 
+    compatibility, SOCKSListenAddress is only allowed when SOCKSPort is just
 
+    a port number.)
 
 
 **SocksPolicy** __policy__,__policy__,__...__::
 
     Set an entrance policy for this server, to limit who can connect to the
 
@@ -795,28 +828,44 @@ The following options are useful only for clients (that is, if
 
     operating as a relay, and it will never use the public key step if it
 
     doesn't yet know the onion key of the first hop. (Default: 1)
 
 
-**TransPort** __PORT__|**auto**::
 
-    If non-zero, enables transparent proxy support on __PORT__ (by convention,
 
-    9040). Requires OS support for transparent proxies, such as BSDs' pf or
 
+**TransPort**  \['address':]__port__|**auto** [_isolation flags_]::
 
+    Open this port to listen for transparent proxy connections.  Set this to
 
+    0 if you don't want to allow transparent proxy connections.  Set the port
 
+    to "auto" to have Tor pick a port for you. This directive can be
 
+    specified multiple times to bind to multiple addresses/ports.  See 
+    SOCKSPort for an explanation of isolation flags. +
 
+ +
 
+    TransPort requires OS support for transparent proxies, such as BSDs' pf or
 
     Linux's IPTables. If you're planning to use Tor as a transparent proxy for
 
     a network, you'll want to examine and change VirtualAddrNetwork from the
 
     default setting. You'll also want to set the TransListenAddress option for
 
-    the network you'd like to proxy.  Set it to "auto" to have Tor pick a
 
-    port for you.  (Default: 0).
 
+    the network you'd like to proxy. (Default: 0).
 
 
 **TransListenAddress** __IP__[:__PORT__]::
 
     Bind to this address to listen for transparent proxy connections. (Default:
 
     127.0.0.1). This is useful for exporting a transparent proxy server to an
 
-    entire network.
 
-
 
-**NATDPort** __PORT__|**auto**::
 
-    Allow old versions of ipfw (as included in old versions of FreeBSD, etc.)
 
-    to send connections through Tor using the NATD protocol. This option is
 
-    only for people who cannot use TransPort.  Set it to "auto" to have Tor
 
-    pick a port for you. (Default: 0)
 
+    entire network. (DEPRECATED: As of 0.2.3.x-alpha, you can
 
+    now use multiple TransPort entries, and provide addresses for TransPort
 
+    entries, so TransListenAddress no longer has a purpose.  For backward
 
+    compatibility, TransListenAddress is only allowed when TransPort is just
 
+    a port number.)
 
+
 
+**NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
 
+    Open this port to listen for connections from old versions of ipfw (as
 
+    included in old versions of FreeBSD, etc) using the NATD protocol.
 
+    Use 0 if you don't want to allow NATD connections.  Set the port
 
+    to "auto" to have Tor pick a port for you. This directive can be
 
+    specified multiple times to bind to multiple addresses/ports.  See
 
+    SOCKSPort for an explanation of isolation flags. +
 
+ +
 
+    This option is only for people who cannot use TransPort. (Default: 0)
 
 
 **NATDListenAddress** __IP__[:__PORT__]::
 
-    Bind to this address to listen for NATD connections. (Default: 127.0.0.1).
 
+    Bind to this address to listen for NATD connections. (DEPRECATED: As of
 
+    0.2.3.x-alpha, you can now use multiple NATDPort entries, and provide
 
+    addresses for NATDPort entries, so NATDListenAddress no longer has a
 
+    purpose.  For backward compatibility, NATDListenAddress is only allowed
 
+    when NATDPort is just a port number.)
 
 
 **AutomapHostsOnResolve** **0**|**1**::
 
     When this option is enabled, and we get a request to resolve an address
 
@@ -829,13 +878,19 @@ The following options are useful only for clients (that is, if
 
     A comma-separated list of suffixes to use with **AutomapHostsOnResolve**.
 
     The "." suffix is equivalent to "all addresses." (Default: .exit,.onion).
 
 
-**DNSPort** __PORT__|**auto**::
 
-    If non-zero, Tor listens for UDP DNS requests on this port and resolves
 
-    them anonymously.  Set it to "auto" to have Tor pick a port for
 
-    you. (Default: 0).
 
+**DNSPort** \['address':]__port__|**auto** [_isolation flags_]::
 
+    If non-zero, open this port to listen for UDP DNS requests, and resolve
 
+    them anonymously.  Set the port to "auto" to have Tor pick a port for
 
+    you. This directive can be specified multiple times to bind to multiple
 
+    addresses/ports. See SOCKSPort for an explanation of isolation
 
+    flags. (Default: 0).
 
 
 **DNSListenAddress** __IP__[:__PORT__]::
 
-    Bind to this address to listen for DNS connections. (Default: 127.0.0.1).
 
+    Bind to this address to listen for DNS connections. (DEPRECATED: As of
 
+    0.2.3.x-alpha, you can now use multiple DNSPort entries, and provide
 
+    addresses for DNSPort entries, so DNSListenAddress no longer has a
 
+    purpose.  For backward compatibility, DNSListenAddress is only allowed
 
+    when DNSPort is just a port number.)
 
 
 **ClientDNSRejectInternalAddresses** **0**|**1**::
 
     If true, Tor does not believe any anonymously retrieved DNS answer that