Outbound block policy

[thepyper]

Hi!

Looking in the code (https://github.com/shadowsocks/shadowsocks-rust/blob/master/crates/shadowsocks-service/src/server/tcprelay.rs line 157) it looks that the way to limit tunnel connections forward address is compiling the [outbound_block_list] section in an ACL.

In my setup, I would like to do the opposite, like a [outbound_allow_list] to only allow few things to be forwarded.
Also, I would like to add port specification to the list.

In the end, in my setup I would only like to allow forwarding to "localhost" on a limited range of ports.

Is there any way to achieve that other than changing the code?

(Otherwise I'm thinking of changing / integrating the logic in https://github.com/shadowsocks/shadowsocks-rust/blob/master/crates/shadowsocks-service/src/acl/mod.rs)

Thanks!!

[zonyitoo]

[outbound_allow_list]: I don't think this is useful for most of the users. For personal usage, the server should always establish the tunnel except some target addresses, for example, 127.0.0.1. It may be harmful for the server itself because it may leak its local services to public.

In the end, in my setup I would only like to allow forwarding to "localhost" on a limited range of ports.

You could achieve that easily with iptables.

[naquad]

A case: shadowsocks is used to expose a service with authentication, shadowsocks is running w/o password but must allow only a single target address. In comparison with a single line in ACL, setting up iptables + traffic tagging / separate interface is not easy, especially when your IPTables rules are ~2k lines.

For now, I've hardcoded the value I need in the code, but that doesn't seem to be an okay solution.

Given that during the previous two years blocking is on the rise, I think such a set up will become more popular, so maybe adding a whitelist to the ACL is worth doing?