On 12/05/16 02:40, grarpamp wrote:
On Sat, Dec 3, 2016 at 10:14 AM, pa011 pa011@web.de wrote:
[WARN] Your server (x.x.x.x.:4443) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable.
https://www.freebsd.org/releases/11.0R/announce.html does not ship with any packet filter enabled. So above message is unrelated.
Yes, and as I mentioned before, if you're trying to troubleshoot, start with the minimal torrc configuration as it will be easier to isolate the issue.
You might also want to try setting the "Address" knob.
What do I have to do - how to best set-up a decent strong firewall on a freeBSD Exit?
FreeBSD above doesn't ship with a bunch of junk enabled and attached to the net like most Linux distros do. And relays minimally only have a caching resolver client (exits only, non listening), sshd server, and tor running. Packet filters are not necessary there. The only reason to run a filter there is if you believe one of those services, or the kernel network stack itself, will be cracked somehow resulting in apps that do not already have uid zero access being run and bound to the net, and you want to impede that a while until uid zero is gained. That's usually rather pointless, so just run an [auditible] disposable unfiltered system and protect your management core. Though one might be useful in logging mode to collect different network utilization stats than netstat -ss or netflow can do.
Yes. And look at sshd(8) configuration. Blacklistd(8) is now in the FreeBSD 11.x branch, and a great mitigation tool for noisy sshd zombie attacks. The normal SSHD setup configuration is also recommended such as using public/private keypairs that are passwd protected.
Like all Tor relays, don't treat it as a multi-purpose system. There's no need for more than security/tor (or security/tor-devel) which has the dependency devel/libevent2.
If the stupid sshd messages bother you, filter them and/or change the port [a reasonable practice anyways].
Yes. Noisy logs tends to mean dailies/weeklies/monthlies go unread. Do make sure you configure a recipient for those.
You need to understand what a firewall is/not and can/not do before just dropping some random one in place. That takes time, lots of time, and unfortunately isn't a function of this mailing list.
True, and that's another reason why blacklistd(8) is also worth taking time to review.
Is there any further helpful documentation around apart from the freeBSD handbook to get my learning curve up more quickly?
First, read the man pages ipfw(4), pf(4), and all 'see alsos' therein. Then search: freebsd ipfw / pf, 'understanding firewalls', etc.
Ditto, but it seems getting the ORPort to reply is a higher priority and futzing around with host-based firewalling will only clutter that goal.
g