[tor-relays] what ip,port combinations do Tor clients need?

Jonathan Marquardt mail at parckwart.de
Tue May 8 14:59:08 UTC 2018

On Tue, May 08, 2018 at 04:45:58PM +0200, Martin Kepplinger wrote:
> How does a usable ipset (hash:ip,port) look like, so that it is a whitelist
> for
> in/out tcp connections? *Everything* else from/to the outside world is
> assumed
> to be dropped. (DNS too).
> * dir auths from src/or/auth_dirs.inc
> * fallback dirs from scripts/maint/fallback.whitelist
> * current guard relays (parsed from a consensus file)
> anything else?

There isn't really a standard port for the ORPort or the DirPort. All kinds of 
ports are used for this. For example, you could only allow port 443 and you 
would be good to go, just not for all relays.

In theory, you could create a giant iptables ruleset for every relay out 
there, which you would have to update all the time, because it changes every 
I think that it is a more sensible approach if you configure a couple of 
bridges on your clients and only allow these IP:Port combinations. This would 
be a wiser approach if you aim for a minimum of allowed connection types.
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180508/7af6035a/attachment.sig>

More information about the tor-relays mailing list