[tor-relays] [SOLVED] published descriptor missing from consensus
Roman Mamedov
rm at romanrm.net
Thu Jun 8 15:01:35 UTC 2017
On Thu, 08 Jun 2017 09:43:00 -0500
Scott Bennett <bennett at sdf.org> wrote:
> As noted more than once previously, the pf rules *pass* all traffic
> from relay addresses *first*, so that traffic has already gone on to tor
> before the block list is applied.
There are most likely some relays which use a different IP for outgoing
connections than what is listed in the consensus, due to multiple IPs or
provider multihoming. Your scheme does not seem to account for that, so those
connections may fail. In effect you will be leaving the Tor network
permanently semi-broken by running a relay while employing such filtering.
In any case I don't think there is any reasonable threat scenario against which
you must protect by not just allowing all connections from anywhere to
ORPort/DirPort of a Tor relay.
--
With respect,
Roman
More information about the tor-relays
mailing list