Seeking recommendations for pf firewall relays
Hello everyone, I am running a few Tor relays on FreeBSD to help diversify the network and use pf as the firewall on my servers to block unwanted traffic. To reduce the impact of possible future DoS attacks, I want to make use of max-src-conn and max-src-conn-rate to limit a single IP address from creating unlimited TCP states, as well as limit how fast new TCP sessions can be created. Due to some other relays running up to eight instances per IP address, I don't want to set the limit too low, so legitimate connections aren't accidentally dropped. So my question to other relay operators using FreeBSD and pf, what values do you use, and ars there other settings I can use to fine tune pf firewall on my Tor relays? Regards, ZR
On 24/03/2026 11:17, zwiebelrouter via tor-relays wrote:
So my question to other relay operators using FreeBSD and pf, what values do you use, and ars there other settings I can use to fine tune pf firewall on my Tor relays?
My approach is here: https://github.com/toralf/torutils?tab=readme-ov-file#details -- Toralf
Hi
To reduce the impact of possible future DoS attacks, I want to make use of max-src-conn and max-src-conn-rate to limit a single IP address from creating unlimited TCP states, as well as limit how fast new TCP sessions can be created.
:: pf.conf :: IFEXT = "igb0" MAXSRCCONN = "50" # 50 connections per source IP MAXSRCCONNRATE = "5/5" # 5 new syns per 5 secs IP4 = "a.b.c.d" IP6 = "aaaa:bbbb:cccc:dddd::eeee" ORPORT = "9001" table <blockORPORT> persist pass in on $IFEXT inet proto tcp from any to $IP4 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) pass in on $IFEXT inet6 proto tcp from any to $IP6 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) :: cronjob to release blocked IPs :: (5 minutes cronjob, holds blocked IPs for roughly 4000 secs) pfctl -t blockORPORT -T expire 4000 You can go for `keep state´ instead of `modulate state´. Cheers
Why has by exit 51AE5656C81CD417479253A6363A123A007A2233, over two years old has its first seen dates set to three days ago? But its consensus weight is 40,000, all flags in place and working as before so I am not sure what the less than two weeks old exit warning is about and why its says it is new. I have not changed anything or fingerprint. Gerry
Its happening to my relay, also!
On Apr 10, 2026 at 4:59 PM, DocGerry via tor-relays <tor-relays@lists.torproject.org> wrote:
Why has by exit 51AE5656C81CD417479253A6363A123A007A2233, over two years old has its first seen dates set to three days ago?
But its consensus weight is 40,000, all flags in place and working as before so I am not sure what the less than two weeks old exit warning is about and why its says it is new. I have not changed anything or fingerprint.
Gerry
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Gerry, You don't need to worry about your config or fingerprint—your relay is functioning perfectly. Because your Consensus Weight is still strong at 40,000 and all your flags are intact, the actual Tor network (the Directory Authorities) still recognizes your relay's full two-year history. What you're experiencing is a known frontend quirk with Onionoo / Tor Metrics. Occasionally, Onionoo glitches and resets a relay's first_seen timestamp on the metrics dashboard. That "new exit" warning isn't coming from the core Tor network; it's almost certainly an automated alert from a third-party script or Tor Weather that is pulling the glitched date via the Onionoo API. Since the DirAuths know exactly who you are, clients are still routing traffic through your node normally. It's purely a cosmetic issue with the metrics API, so you don't need to change a thing. Hope this helps. JMHBM.
participants (6)
-
dawn.belle.flood -
Felix -
gerard@bulger.co.uk -
jmhbm@duck.com -
Toralf Förster -
zwiebelrouter