[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] [SOLVED] published descriptor missing from consensus



On Thu, 08 Jun 2017 09:43:00 -0500
Scott Bennett <bennett@xxxxxxx> wrote:

>      As noted more than once previously, the pf rules *pass* all traffic
> from relay addresses *first*, so that traffic has already gone on to tor
> before the block list is applied.

There are most likely some relays which use a different IP for outgoing
connections than what is listed in the consensus, due to multiple IPs or
provider multihoming. Your scheme does not seem to account for that, so those
connections may fail. In effect you will be leaving the Tor network
permanently semi-broken by running a relay while employing such filtering.

In any case I don't think there is any reasonable threat scenario against which
you must protect by not just allowing all connections from anywhere to
ORPort/DirPort of a Tor relay.

-- 
With respect,
Roman
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays