[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] hardening a tor relay

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] hardening a tor relay
From: Noilson Caio <caiogore@xxxxxxxxx>
Date: Sat, 24 May 2014 09:21:06 -0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 24 May 2014 08:17:44 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=GE1lzLvLZLdnpO0+8soWfLfjOlRWtHJqWmV9dOCHubQ=; b=IcApLrWGKctx5M2RL3Aq2HWXK5dH305KZiX2kmnf3Cuy0bs+lJpDjXS36cWMJdHBhm JJacEIZLwUT6t0XDnDd173438QUIK/rQtyBoX96SM98MCu1/Xw+PgCDL95SMJrOYaGt2 OvVBeD45r//zyWiH51d8Lzlb6LOEQP4MRWV5/rr/YOfKDe63rCZ78ehY3IeN1+06jlMe dMnPDzeHxdAuXL7itHJRhTwMe70uOfhf7foq2PCjQmYH6sn6Eh6Sgrr2qsTXf8Q8IwzB eatpvAvSOsJfqa9lpBbZW8dwRI2DWshjXDq2L51tF4XK5jHwab4/tMxprkDORkylmsUk 5Fdg==
In-reply-to: <20140523223007.GA27732@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <1400718225.40138.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <537E3469.7020100@xxxxxxxxxx> <CACk28AVjj=YFJ-2LoaY13N5YVSjNx9ygsrPRvw_7vLrXfNiJuA@xxxxxxxxxxxxxx> <20140523223007.GA27732@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

>If you do lines like the above, your Tor relay will be unable to reach
>other Tor relays that chose port 80 or port 110 for their ORPort or
>their DirPort. (People choose those ports because some users are behind
>firewalls that only allow connections to those ports.)

indeed. By personal choice, I have found it more convenient to exclude this traffic leaving my relay.
I'll make scrips that create rules with these output ports only for Tor relays.

Thanks a lot mr. Roger.

On Fri, May 23, 2014 at 7:30 PM, Roger Dingledine <arma@xxxxxxx> wrote:

On Fri, May 23, 2014 at 06:16:56PM -0300, Noilson Caio wrote:
> Block all output like http and smtp in my netfilter (Gnu Linux);
>
> -A OUTPUT -p tcp -m tcp --dport 80 -j DROP
> -A OUTPUT -p tcp -m tcp --dport 110 -j DROP
> etc ..

Relays need to allow connections to all outgoing ports.

If you do lines like the above, your Tor relay will be unable to reach
other Tor relays that chose port 80 or port 110 for their ORPort or
their DirPort. (People choose those ports because some users are behind
firewalls that only allow connections to those ports.)

https://www.torproject.org/docs/faq#OutboundPorts

--Roger

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Noilson Caio Teixeira de AraÃjo
https://ncaio.wordpress .com
https://br.linkedin.com/in/ncaio

https://twitter.com/noilsoncaio

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] hardening a tor relay
  - From: Contra Band
- Re: [tor-relays] hardening a tor relay
  - From: Paul Staroch
- Re: [tor-relays] hardening a tor relay
  - From: Noilson Caio
- Re: [tor-relays] hardening a tor relay
  - From: Roger Dingledine

Prev by Author: Re: [tor-relays] hardening a tor relay
Next by Author: Re: [tor-relays] hardening a tor relay
Previous by thread: Re: [tor-relays] hardening a tor relay
Next by thread: [tor-relays] Confirm IPv6 Setup as Exit Node
Index(es):
- Author
- Thread