[tor-relays] firewalled relays

Robert Ransom rransom.8774 at gmail.com
Sat Jun 4 10:28:28 UTC 2011

On Sat, 4 Jun 2011 01:31:10 -0700
Mike Perry <mikeperry at fscked.org> wrote:

> Thus spake Jesus Cea (jcea at jcea.es):
> > On 03/06/11 16:13, tagnaq wrote:
> > > If one out of 1000 circuits through your relay are failing because you
> > > filter 443 while relaying 50Mbit/s I would find it acceptable,
> > > but I fear it are far more. Do you have any stats? (I'm not sure how to
> > > gather them.)
> > > Mikes opinion is also be very valuable on such topics.
> > 
> > If somebody can tell me where to look...
> You likely need to taylor your iptables rules to also log when you
> reject these connections:
> http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html

This is a *very* dangerous thing for *any* relay to do.  Does iptables
have support for ‘counters’?

> P.P.S. Your ISP is really crazy.

I think ‘evil’ is more appropriate here -- on the other hand,
‘sufficiently advanced cluelessness is indistinguishable from malice’.

>                                  Have you thought about giving them a
> link to a torstatus directory of Tor IPs so they can feed it to their
> stupid IDS to whitelist for purposes of outgoing connections? We can
> probably induce torstatus to produce a csv of this IP set if would
> help.

If, as Moritz Bartl said, his ISP's current Terms of Service for new
customers explicitly prohibit Tor, they are likely to respond to this
by making up an excuse to turn off his server completely.

Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110604/f4c06236/attachment-0001.pgp>

More information about the tor-relays mailing list