[tor-relays] network diversity with freeBSD

George george at queair.net
Mon Dec 5 13:28:28 UTC 2016 

On 12/05/16 02:40, grarpamp wrote:
> On Sat, Dec 3, 2016 at 10:14 AM, pa011 <pa011 at web.de> wrote:
>>  [WARN] Your server (x.x.x.x.:4443) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable.
> 
> https://www.freebsd.org/releases/11.0R/announce.html
> does not ship with any packet filter enabled. So above
> message is unrelated.

Yes, and as I mentioned before, if you're trying to troubleshoot, start
with the minimal torrc configuration as it will be easier to isolate the
issue.

You might also want to try setting the "Address" knob.

> 
>> What do I have to do  - how to best set-up a decent strong firewall on a freeBSD Exit?
> 
> FreeBSD above doesn't ship with a bunch of junk enabled
> and attached to the net like most Linux distros do.
> And relays minimally only have a caching resolver client
> (exits only, non listening), sshd server, and tor running.
> Packet filters are not necessary there. The only reason
> to run a filter there is if you believe one of those services, or
> the kernel network stack itself, will be cracked somehow
> resulting in apps that do not already have uid zero access being
> run and bound to the net, and you want to impede that a while
> until uid zero is gained. That's usually rather pointless, so just
> run an [auditible] disposable unfiltered system and protect your
> management core. Though one might be useful in logging mode
> to collect different network utilization stats than netstat -ss
> or netflow can do.

Yes.  And look at sshd(8) configuration. Blacklistd(8) is now in the
FreeBSD 11.x branch, and a great mitigation tool for noisy sshd zombie
attacks. The normal SSHD setup configuration is also recommended such as
using public/private keypairs that are passwd protected.

Like all Tor relays, don't treat it as a multi-purpose system. There's
no need for more than security/tor (or security/tor-devel) which has the
dependency devel/libevent2.

> 
> If the stupid sshd messages bother you, filter them
> and/or change the port [a reasonable practice anyways].

Yes.  Noisy logs tends to mean dailies/weeklies/monthlies go unread.  Do
make sure you configure a recipient for those.

> 
> You need to understand what a firewall is/not and can/not
> do before just dropping some random one in place.
> That takes time, lots of time, and unfortunately isn't a
> function of this mailing list.

True, and that's another reason why blacklistd(8) is also worth taking
time to review.

> 
>> Is there any further helpful documentation around apart from the freeBSD handbook to get my learning curve up more quickly?
> 
> First, read the man pages ipfw(4), pf(4), and all 'see alsos' therein.
> Then search: freebsd ipfw / pf, 'understanding firewalls', etc.

Ditto, but it seems getting the ORPort to reply is a higher priority and
futzing around with host-based firewalling will only clutter that goal.

g


-- 



5F77 765E 40D6 5340 A0F5 3401 4997 FF11 A86F 44E2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161205/c8f5e5bb/attachment.sig>

More information about the tor-relays mailing list