Hi Josef,

I think you must put any reject entries above the accept because the rules read from top to bottom.

Also, I don't know if this make any difference at all, but I also put port in my torrc like this :

ExitPolicy reject 195.113.0.0/16:* #comment here

S

On 19 Oct 2015, at 22:03, Josef Stautner hello@veloc1ty.de wrote:

Hello @all,

I have a probleme with an reject rule which seems to fail. Due to an message from WebIron against my exit relay I wanted to block a subnet. My exit policy looks like this:

ExitPolicy accept *:53 # DNS ExitPolicy accept *:80 # HTTP ExitPolicy accept *:8080 # HTTP 2 ExitPolicy accept *:443 # HTTPS ExitPolicy reject 5.133.182.0/24 # WebIron report ExitPolicy reject *:*

After I added the reject rule I reloaded tor and thought the case is done. But WebIron keeps sending me messages because of "ongoing attacks" against a host in that subnet. Of course I trusted the reject rule and ignored them. After the 6th mail I got suspicious and added an iptables ACCEPT rule in my OUTPUT chain to have a look if there is really a traffic flow. I just received another mail and checked the packet counter:

Chain OUTPUT (policy ACCEPT 116M packets, 159G bytes) num pkts bytes target prot opt in out source destination 2 142 8304 ACCEPT all -- * * 31.220.45.6/32 5.133.182.0/24 /* WebIron Block check */

There is traffic flowing from my relay IP 31.220.45.6 to the subnet. Can somebody please hint me what I'm doing wrong? Link to the relay in case you need more information: https://atlas.torproject.org/#details/29E3D95332812F81F67FF31B3B1B842683D1C3...

Thanks in advance, ~Josef _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays