RE: Firewall?

["Michael Laccetti" <michael@xxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, right now I'm operating in paranoia mode:  one of the servers I maintain
was hacked, and the crew that setup shop included a whole batch of bots.  Just
trying to hinder them, if it ever happens again. 

- -----Original Message-----
From: owner-or-talk@xxxxxxxxxxxxx [mailto:owner-or-talk@xxxxxxxxxxxxx] On
Behalf Of Roger Dingledine
Sent: December 11, 2004 11:27
To: or-talk@xxxxxxxxxxxxx
Subject: Re: Firewall?

On Fri, Dec 10, 2004 at 10:09:50PM -0500, Michael Laccetti wrote:
> Recently had to install a firewall on the server.  Was wondering what 
> ports I should open incoming/outgoing?  I'm looking at the directory 
> of servers, and see that my server has 3 ports listed beside it (9001, 
> 9050, 9030), and a bit below has a bunch of accept/reject statements.  
> Are the first 3 incoming, and

Yes.

> the rest outgoing?

Yes.

Also, you should permit outgoing to 80, 443, and 9001-9033, even if you set
your exit policy to reject them, since your server will want to use those to
connect to directory servers and other ORs.

>  If so, can I modify the outgoing?  I can open a variety of ports, but 
> I don't want to open too many.

You can modify it -- check out the 'ExitPolicy' section of
"src/config/torrc.sample.in".

But I should ask: why do you not want to open "too many"? I can understand
blocking incoming connections, if you have users who don't understand security
and keep running programs in vulnerable configurations. But what are you
protecting against by blocking outgoing connections?

- --Roger



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQbtYYbsNGE8hfSdaEQKfJACeJX4sm+4Y8qHThV6XmQRwQp+8cl8An0D3
vb54x1v3ayBQkAGNnRh5KODs
=sN8J
-----END PGP SIGNATURE-----