Should `onlynet=onion` allow incoming non-tor connections? #13436

issue kallewoof opened this issue on June 11, 2018
  1. kallewoof commented at 9:58 AM on June 11, 2018: member

    It is noted in #13378 (comment) that onlynet only affects outgoing connections. I take this to mean a user running onlynet=onion will happily accept incoming, non-tor connections on their node. It feels like a user running with onlynet=onion option would not want their node to accept incoming non-tor connections.

  2. fanquake added the label P2P on Jun 11, 2018
  3. sipa commented at 1:59 PM on June 11, 2018: member

    doc/tor.md explains this and suggests using -bind=127.0.0.1 to mitigate this.

    In general, it is not possible to control what networks incoming connections are from, because they're not observable. Some best guesses could be implemented, but I fear that adding this into -onlynet may also lead to less predictable behaviour.

    When you have a manually run Tor instance, configured with a Bitcoin hidden service, you generally run it on localhost. Bitcoin Core can be configured to only accept incoming connections from localhost, but that's independent from the Tor configuration - it does not actually at any point in time know that these connections are Tor ones. In theory, someome can also run their Tor instance elsewhere (on a local network, for example).

  4. kallewoof commented at 7:24 AM on June 12, 2018: member

    I didn't realize it wasn't possible to determine what incoming connections are coming from. I thought connections always had a source, and I assumed it was different for Tor connections... The only thing that could be leaked by this is if someone is careless to not do -bind, and someone else tries to see if they are running bitcoin. Could be bad for e.g. an exchange node with a fat wallet but they'd presumably be careful.

  5. sipa commented at 7:41 AM on June 12, 2018: member

    Right, you can see the source of an incoming connection, but that source may be a proxy. Tor connections always come through tor which acts as proxy, so bitcoind just sees the IP address of the proxy. There may be other reasons why connections seem to come from a known or unknown proxy.

  6. kallewoof commented at 7:45 AM on June 12, 2018: member

    Got it. Perhaps it would be useful with a warning when seeing -onlynet=onion if it is not also seeing -bind=localhost.

  7. laanwj commented at 1:39 PM on June 12, 2018: member

    I don't think onlynet affects binding at all, that's seperate.

    Maybe it should, but it'd be a change from current behavior.

  8. laanwj commented at 1:41 PM on June 12, 2018: member

    Regarding detection of incoming Tor connections (at least from the automatic Tor hidden sevice setup), see #8973 "Incoming tor connections should use alternative port".

  9. ghost commented at 6:10 AM on June 14, 2018: none

    Nit: I guess You mean onlynet=onion

  10. kallewoof renamed this:
    Should `onlynet=tor` allow incoming non-tor connections?
    Should `onlynet=onion` allow incoming non-tor connections?
    on Jun 15, 2018
  11. kallewoof commented at 2:52 AM on June 15, 2018: member

    I don't think this issue will find a resolution here, so I'm closing.

  12. kallewoof closed this on Jun 15, 2018
  13. DrahtBot locked this on Sep 8, 2021
Contributors
kallewoofsipalaanwjghost
Labels
P2P
Linked (view graph)
#13378 P2P: Node with onlynet=ipv6 connects outgoing to Onion
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-02 21:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me