On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote: I have never used a frontend for IP/nftables. I have no idea what the scripts produce and whether they are correct. The beauty of UNIX/Linux are the human-readable config text files that you can comment on as you wish. > Here are my tor-related UFW rules; > To Action From > -- ------ ---- > [ 3] 9001 ALLOW IN Anywhere > [11] 9001 (v6) ALLOW IN Anywhere (v6) > > I'm really confused how UFW firewalled most, but not all, of my relays > traffic. What UFW rules do other relay operators enact? Maybe you could post your entire FW ruleset. ((Use pastebin) First, no output filters: :OUTPUT ACCEPT Here are default IP/nftables rules for Tor relays: https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables https://github.com/boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.conf Here are my current nftables on my Frantech Exits: https://paste.systemli.org/?052a70208b22aebe#4b8qoJU9MrPgopfhm9HPxARTwXmWVkwBP5XrVFMKqfgD You don't need to set up dynamic DDoS policies there. Francisco already does that on his Junipers. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays