Comcast blocks ALL traffic to tor relays - in their firewall, can be disabled
276 sats \ 3 comments \ @xmrk2 13 Jun 2023 tech
Already posted here, but there was some development. And "tech" is more suitable sub.
So, they probably block ALL traffic to at least some public tor relays, even tor-unrelated traffic and even to non-exit relays. This is a feature of the firewall in the router/AP they supply, they call it "Advanced security". It is on by default, but can be turned off. And
There are definitely popups all over the place telling me to turn it on
says a 2nd Comcast customer (CCB) who contacted me. What does blocking tor relays have to do with security? I would understand blocking Tor exit nodes, but relays? They effectively say that tor relays are a security threat.
How I tested: I have a lightning channel with a Comcast customer (will call him CCA), my lightning node is connected to his, my tor relay not running. I start tor relay, and still can connect during the following 9 hours. But then, all my connection attempts fail with timeout. I checked using my mobile connection (so from another IP, not blacklisted because of this scary tor), and I can connect, so CCA is online. All tests done by socat -dd - TCP4:<node_ip_addr>:<node_port>. Done this test at least twice (first time by error :) , forgot to include BridgeRelay 1 in torrc after getting new external IP addr, so I was still running a public relay) with similar result - CCA disconnected after few hours.
I also wrote more on tor-relays mailing list, this is my initial post, seems EFF is getting involved, but the EFF's post is still awaiting moderation I think. People expressed some doubts, especially this one says he runs relays on Comcast network. Maybe Comcast only blocks non-Comcast relays?
So by running a tor relay, you risk being "punished" by Comcast. Forget Bitcoin and Lightning: self-hosted website or any other server, if it runs a tor relay on the same IPv4, risks being cut off from most Comcast customers. I guess majority will not opt out of mentioned protection.
Any Comcast users who would run further tests? Probably better if you don't have lightning node or another high uptime use-case, would like to test with this "Advanced security" turned on and off, it may disrupt your connections.
write
preview
related posts
10 sats \ 1 reply \ @Darkbulb 14 Jun 2023
Tor through VPN, how would they know?
reply
10 sats \ 0 replies \ @xmrk2 OP 14 Jun 2023
not sure if you understood. If you mean that Comcast customers should use tor through VPN, then yes, it would help them.
But my problem is that I am not a Comcast customer, want to help tor by running a relay, and Comcast considers me a threat because of that and blocks my connection with Comcast customers. Comcast discourages or punishes tor relays, even (or only?) those running on other ISPs.
reply
0 sats \ 0 replies \ @xmrk2 OP 18 Jun 2023
Turns out that Comcast probably just does not understand tor - specifically, the difference between exit and non-exit relays. See https://lists.torproject.org/pipermail/tor-relays/2023-June/021208.html . And not enough evidence that Comcast really blocks connections to tor relays, just ALL connections from tor relays.
So raising awareness about that difference could be a way to go. Perhaps we should bug EFF that they do/join such awareness campaign? Repost / retweet. And help me with short-enough slogan or hashtag, because #TorNonExitRelayIsNotAThreat seems too long to me. But "relay" can refer to an exit relay, and those could be a threat, so mentioning "non-exit" seems inevitable.
reply