[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Oubound Ports



Hi Greg,

Thanks for running a relay! You do not need to firewall outbound traffic.

On 07/11/2014 05:30 AM, Roman Mamedov wrote:
> You do need to have all ports open outbound.
> The reason is, your relay needs to be able to connect to all other relays, and
> people run their relays on all sorts of weird ports.

Correct. Your relay in any case needs to be able to connect to all
relays. You could extract the list of IP:Port pairs from your running
Tor relay and then update your local firewall accordingly, but I would
just allow Tor to connect to all outbound addresses.

In the case of an exit relay, it obviously needs to be able to reach
everything out there, on any TCP port.

> However one thing to consider would be to restrict outbound port 22 and port 53
> outbound to not get into trouble with your provider due to suspicions of SSH
> bruteforcing / DNS reflection attacks. This will break a very small portion of
> circuits built via your relay, but hopefully solve more potential problems
> than this would cause.

No! Tor is not able to detect this case, which will make client
connection silently fail, and make the user experience a sad experience.

You can restrict any other traffic leaving your machine, but the Tor
process needs to be able to fully mesh with all other relays, and, in
the case of exits, be able to reach all the rest of the internet.

-- 
Moritz Bartl
https://www.torservers.net/
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays