Hi everybody
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
understood - removed those iptables rules
Good discussion. My experience is protecting the dirport makes sense to avoid ddos attempts.
During my Debian times this rule worked fine for me:
/sbin/iptables -A INPUT -p tcp -d $IPEXT --dport 80 -j ACCEPT -m limit --limit 5/s --limit-burst 50
On FreeBSB I go with something like:
pass in on $IFEXT inet proto tcp from !<blockDIR> to $IPEXT port 80 flags S/SA keep state (max 150,max-src-states 50,max-src-conn 50, max-src-conn-rate 20/10,overload <blockDIR>)
# release the blockDIR after some hours pfctl -t blockDIR -T expire 7200 # hourly cron job