On Dienstag, 27. August 2024 00:44:02 CEST Roger Dingledine wrote:
BridgeRelay 1 ORPort <port> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:<port> ExtORPort auto ExitPolicy reject *:*
Looks good. You don't need the ExitPolicy line (you're just setting it to the default), but it doesn't hurt to have it there.
Yes, ExitPolicy reject *:* is default on non Exit relays but Socks port 9050 is open by default, I close it when not needed.
SocksPort 0 SocksPolicy reject *
the same applies to ControlPort:
ControlPort 0
Once your bridge has been running stable for a few weeks, an advanced but experimental feature is to hide OrPort.
ORPort 127.0.0.1:<port> ORPort [::1]:<port> AssumeReachable 1
I have set two limits on the connections:
BandwidthRate 300 MBytes # I want to determine how much bandwidth I can allocate without impacting my network usage. IPv4OnlyThat's a huge bandwidthrate, so I expect your bridge will never get anywhere close to reaching it. This is fine too. Also be sure to learn about 'BandwidthBurst' in case its behavior is surprising to you.
If a bridge reaches 20-30 MBytes, that's already a lot. There are only very few (guard|exit) relays on Tor-Metrics that reach 100 MBytes.
Should an anti DDoS system be configured?
You don't need that with a bridge, nor sysctl foo with a 1G nic and 1 - 2 relays. Apart from disabling ipv6 autoconf & dad, I leave the Debian defaults.