[tor-relays] network diversity with freeBSD

[grarpamp]

On Sat, Dec 3, 2016 at 10:14 AM, pa011 <pa011 at web.de> wrote:
>  [WARN] Your server (x.x.x.x.:4443) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable.

https://www.freebsd.org/releases/11.0R/announce.html
does not ship with any packet filter enabled. So above
message is unrelated.

> What do I have to do  - how to best set-up a decent strong firewall on a freeBSD Exit?

FreeBSD above doesn't ship with a bunch of junk enabled
and attached to the net like most Linux distros do.
And relays minimally only have a caching resolver client
(exits only, non listening), sshd server, and tor running.
Packet filters are not necessary there. The only reason
to run a filter there is if you believe one of those services, or
the kernel network stack itself, will be cracked somehow
resulting in apps that do not already have uid zero access being
run and bound to the net, and you want to impede that a while
until uid zero is gained. That's usually rather pointless, so just
run an [auditible] disposable unfiltered system and protect your
management core. Though one might be useful in logging mode
to collect different network utilization stats than netstat -ss
or netflow can do.

If the stupid sshd messages bother you, filter them
and/or change the port [a reasonable practice anyways].

You need to understand what a firewall is/not and can/not
do before just dropping some random one in place.
That takes time, lots of time, and unfortunately isn't a
function of this mailing list.

> Is there any further helpful documentation around apart from the freeBSD handbook to get my learning curve up more quickly?

First, read the man pages ipfw(4), pf(4), and all 'see alsos' therein.
Then search: freebsd ipfw / pf, 'understanding firewalls', etc.