Re: [tor-relays] [SOLVED] published descriptor missing from consensus

On Thu, 08 Jun 2017 09:43:00 -0500 Scott Bennett bennett@sdf.org wrote:

 As noted more than once previously, the pf rules *pass* all traffic

from relay addresses *first*, so that traffic has already gone on to tor before the block list is applied.

There are most likely some relays which use a different IP for outgoing connections than what is listed in the consensus, due to multiple IPs or provider multihoming. Your scheme does not seem to account for that, so those connections may fail. In effect you will be leaving the Tor network permanently semi-broken by running a relay while employing such filtering.

In any case I don't think there is any reasonable threat scenario against which you must protect by not just allowing all connections from anywhere to ORPort/DirPort of a Tor relay.