On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote:
I have never used a frontend for IP/nftables. I have no idea what the scripts produce and whether they are correct. The beauty of UNIX/Linux are the human-readable config text files that you can comment on as you wish.
Here are my tor-related UFW rules; To Action From -- ------ ---- [ 3] 9001 ALLOW IN Anywhere [11] 9001 (v6) ALLOW IN Anywhere (v6)
I'm really confused how UFW firewalled most, but not all, of my relays traffic. What UFW rules do other relay operators enact?
Maybe you could post your entire FW ruleset. ((Use pastebin)
First, no output filters: :OUTPUT ACCEPT
Here are default IP/nftables rules for Tor relays: https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables https://github.com/boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.con...
Here are my current nftables on my Frantech Exits: https://paste.systemli.org/?052a70208b22aebe#4b8qoJU9MrPgopfhm9HPxARTwXmWVkw...
You don't need to set up dynamic DDoS policies there. Francisco already does that on his Junipers.