Hi

Thanks for the reply. What would be a reasonable per-ip rate limit (connections per second) for a Tor middle relay?

On _Freebsd_ the following pf settings apply for running tor in a Jail: table <blockOR1> persist MAXSRCCONN = "50" MAXSRCCONNRATE = "5/5" nat on $IFEXT inet from $IPTOR1 to any -> $IP1 rdr on $IFEXT inet proto tcp from !<blockOR1> to $IP1 port XXX -> $IPTOR1 port YYY pass in on $IFEXT inet proto tcp from any to $IPTOR1 port YYY flags S/SA modulate state (max-src-conn $MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush) Running Tor on host could be something like: table <blockOR1> persist MAXSRCCONN = "50" MAXSRCCONNRATE = "5/5" pass in on $IFEXT inet proto tcp from !<blockOR1> to $IPTOR1 port YYY flags S/SA modulate state (max-src-conn $MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush) The MAX* values are very tight because of the latest DOS experiences. Feel freee to adjust them to your needs.