[tor-relays] what ip,port combinations do Tor clients need?

Martin Kepplinger martink at posteo.de
Wed May 9 08:18:10 UTC 2018

On 2018-05-08 16:59, Jonathan Marquardt wrote:
> On Tue, May 08, 2018 at 04:45:58PM +0200, Martin Kepplinger wrote:
>> How does a usable ipset (hash:ip,port) look like, so that it is a whitelist
>> for
>> in/out tcp connections? *Everything* else from/to the outside world is
>> assumed
>> to be dropped. (DNS too).
>> * dir auths from src/or/auth_dirs.inc
>> * fallback dirs from scripts/maint/fallback.whitelist
>> * current guard relays (parsed from a consensus file)
>> anything else?
> There isn't really a standard port for the ORPort or the DirPort. All kinds of
> ports are used for this. For example, you could only allow port 443 and you
> would be good to go, just not for all relays.
> In theory, you could create a giant iptables ruleset for every relay out
> there, which you would have to update all the time, because it changes every
> day.

That's not really a problem with ipset. My list above results in about 
2800 entries (ip,port combinations). I could easily update it hourly. 
Starting tor-browser doesn't yet work though, and while I might simply 
still get iptables rules wrong, I thought I'd ask if I miss addresses.

Allowing local connections is necessary for the control port, and not an 
issue. It's about remote tcp connections.

> I think that it is a more sensible approach if you configure a couple of
> bridges on your clients and only allow these IP:Port combinations. This would
> be a wiser approach if you aim for a minimum of allowed connection types.

Possibly. I clearly want to try this approach though: not running Tor 
myself, just looking at the network. Again, size doesn't matter. Do I 
miss something?


More information about the tor-relays mailing list