[tor-relays] Exit Flag Requires 80 and 443 (was: connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?)

teor teor2345 at gmail.com
Mon Jan 22 00:17:34 UTC 2018

> On 21 Jan 2018, at 22:34, Toralf Förster <toralf.foerster at gmx.de> wrote:
> On 01/11/2018 02:10 AM, teor wrote:
>> So if you're going to do this, please set a much higher limit than 2.
>> I would suggest at least 4, but 10 or more is better.
>> You might be able to set it higher if you put a limit on repeated
>> connection attempts.
> The simple approach (allowing 8 syn requests from an address at ORport and at DirPort respectively) worked flawlessley for a while - just few dozen/hundreds DROPs per hour. Since yesterday however I get > 100K DROPs per hour.

Your relays are now handling extra load, because they lost the exit flag
and became guards.

> Could a side effect of that traffic be that I lost the Exit flag ?

No, the exit flag is determined by your exit policy, and the Tor version
running on the majority of directory authorities. Recently, a majority
of authorities upgraded to 0.3.2 or later. They require ports 80 and 443
for the Exit flag:

Your exit policy does not include port 80, so your relays are not useful
for clients to build general-purpose exit circuits. Please allow port
80 to regain the Exit flag.

(The majority of Tor traffic is web traffic. Some of that traffic is
unencrypted. This is bad, but enforcing port 443 on Tor clients would
sacrifice usability and anonymity for security.)


Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180122/851a9be2/attachment.sig>

More information about the tor-relays mailing list