Hi Greg,
Thanks for running a relay! You do not need to firewall outbound traffic.
On 07/11/2014 05:30 AM, Roman Mamedov wrote:
You do need to have all ports open outbound. The reason is, your relay needs to be able to connect to all other relays, and people run their relays on all sorts of weird ports.
Correct. Your relay in any case needs to be able to connect to all relays. You could extract the list of IP:Port pairs from your running Tor relay and then update your local firewall accordingly, but I would just allow Tor to connect to all outbound addresses.
In the case of an exit relay, it obviously needs to be able to reach everything out there, on any TCP port.
However one thing to consider would be to restrict outbound port 22 and port 53 outbound to not get into trouble with your provider due to suspicions of SSH bruteforcing / DNS reflection attacks. This will break a very small portion of circuits built via your relay, but hopefully solve more potential problems than this would cause.
No! Tor is not able to detect this case, which will make client connection silently fail, and make the user experience a sad experience.
You can restrict any other traffic leaving your machine, but the Tor process needs to be able to fully mesh with all other relays, and, in the case of exits, be able to reach all the rest of the internet.