Hi all,
I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.
My thanks
On 4/14/23 23:54, null via tor-relays wrote:
Hi all,
I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.
You should start with pf.conf(5) and look at max-src and source-track settings.
g
Thanks for the reply. What would be a reasonable per-ip rate limit (connections per second) for a Tor middle relay?
Thanks
On April 16, 2023 7:22:03 p.m. UTC, George george@queair.net wrote:
On 4/14/23 23:54, null via tor-relays wrote:
Hi all,
I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.
You should start with pf.conf(5) and look at max-src and source-track settings.
g _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi
Thanks for the reply. What would be a reasonable per-ip rate limit (connections per second) for a Tor middle relay?
On _Freebsd_ the following pf settings apply for running tor in a Jail: table <blockOR1> persist MAXSRCCONN = "50" MAXSRCCONNRATE = "5/5" nat on $IFEXT inet from $IPTOR1 to any -> $IP1 rdr on $IFEXT inet proto tcp from !<blockOR1> to $IP1 port XXX -> $IPTOR1 port YYY pass in on $IFEXT inet proto tcp from any to $IPTOR1 port YYY flags S/SA modulate state (max-src-conn $MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush)
Running Tor on host could be something like: table <blockOR1> persist MAXSRCCONN = "50" MAXSRCCONNRATE = "5/5" pass in on $IFEXT inet proto tcp from !<blockOR1> to $IPTOR1 port YYY flags S/SA modulate state (max-src-conn $MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush)
The MAX* values are very tight because of the latest DOS experiences. Feel freee to adjust them to your needs.
tor-relays@lists.torproject.org
-
cowtools@mailbox.org -
Felix -
George -
null