On Fri, 11 Jul 2014 11:02:00 +0200 Moritz Bartl moritz@torservers.net wrote:
However one thing to consider would be to restrict outbound port 22 and port 53 outbound to not get into trouble with your provider due to suspicions of SSH bruteforcing / DNS reflection attacks. This will break a very small portion of circuits built via your relay, but hopefully solve more potential problems than this would cause.
No! Tor is not able to detect this case, which will make client connection silently fail, and make the user experience a sad experience.
Agreed, but my point was that only a small minority of relays use port 22 (checked, 27 of them - more than I expected) or port 53 (just three relays), so it may be a sacrifice that's worth making, in order to avoid losing the ability to run Tor altogether due to being kicked out by your ISP.
Some time ago I proposed that Tor flags some ports as being unacceptable as ORPort[1], but this did not gather much of a momentum. Meanwhile, especially port 53 relays continue causing real problems[2] with ISPs.
Running a relay on ports like 22 and 53 should be considered downright rude to your fellow relay operators.
[1] https://lists.torproject.org/pipermail/tor-talk/2014-June/033173.html
[2] https://lists.torproject.org/pipermail/tor-relays/2014-May/004562.html