On Sat, Dec 3, 2016 at 10:14 AM, pa011 pa011@web.de wrote:
[WARN] Your server (x.x.x.x.:4443) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable.
https://www.freebsd.org/releases/11.0R/announce.html does not ship with any packet filter enabled. So above message is unrelated.
What do I have to do - how to best set-up a decent strong firewall on a freeBSD Exit?
FreeBSD above doesn't ship with a bunch of junk enabled and attached to the net like most Linux distros do. And relays minimally only have a caching resolver client (exits only, non listening), sshd server, and tor running. Packet filters are not necessary there. The only reason to run a filter there is if you believe one of those services, or the kernel network stack itself, will be cracked somehow resulting in apps that do not already have uid zero access being run and bound to the net, and you want to impede that a while until uid zero is gained. That's usually rather pointless, so just run an [auditible] disposable unfiltered system and protect your management core. Though one might be useful in logging mode to collect different network utilization stats than netstat -ss or netflow can do.
If the stupid sshd messages bother you, filter them and/or change the port [a reasonable practice anyways].
You need to understand what a firewall is/not and can/not do before just dropping some random one in place. That takes time, lots of time, and unfortunately isn't a function of this mailing list.
Is there any further helpful documentation around apart from the freeBSD handbook to get my learning curve up more quickly?
First, read the man pages ipfw(4), pf(4), and all 'see alsos' therein. Then search: freebsd ipfw / pf, 'understanding firewalls', etc.