Hello everyone, I am running a few Tor relays on FreeBSD to help diversify the network and use pf as the firewall on my servers to block unwanted traffic. To reduce the impact of possible future DoS attacks, I want to make use of max-src-conn and max-src-conn-rate to limit a single IP address from creating unlimited TCP states, as well as limit how fast new TCP sessions can be created. Due to some other relays running up to eight instances per IP address, I don't want to set the limit too low, so legitimate connections aren't accidentally dropped. So my question to other relay operators using FreeBSD and pf, what values do you use, and ars there other settings I can use to fine tune pf firewall on my Tor relays? Regards, ZR
On 24/03/2026 11:17, zwiebelrouter via tor-relays wrote:
So my question to other relay operators using FreeBSD and pf, what values do you use, and ars there other settings I can use to fine tune pf firewall on my Tor relays?
My approach is here: https://github.com/toralf/torutils?tab=readme-ov-file#details -- Toralf
Hi
To reduce the impact of possible future DoS attacks, I want to make use of max-src-conn and max-src-conn-rate to limit a single IP address from creating unlimited TCP states, as well as limit how fast new TCP sessions can be created.
:: pf.conf :: IFEXT = "igb0" MAXSRCCONN = "50" # 50 connections per source IP MAXSRCCONNRATE = "5/5" # 5 new syns per 5 secs IP4 = "a.b.c.d" IP6 = "aaaa:bbbb:cccc:dddd::eeee" ORPORT = "9001" table <blockORPORT> persist pass in on $IFEXT inet proto tcp from any to $IP4 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) pass in on $IFEXT inet6 proto tcp from any to $IP6 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) :: cronjob to release blocked IPs :: (5 minutes cronjob, holds blocked IPs for roughly 4000 secs) pfctl -t blockORPORT -T expire 4000 You can go for `keep state´ instead of `modulate state´. Cheers
participants (3)
-
Felix -
Toralf Förster -
zwiebelrouter