[tor-relays] Question Re: firewall rules for obfs4 bridge relay

entensaison at use.startmail.com entensaison at use.startmail.com
Wed Oct 3 13:15:27 UTC 2018 

Hi Kenneth,
find the answers here: 
https://lists.torproject.org/pipermail/tor-relays/2018-July/015748.html
It would be great to add that to the guide at 
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy 
^^.
 
> Hello,
> 
> I'm in the process of setting up a couple of obfs4 bridge relays on 
> Ubuntu server 18.04. 
> 
> I'm endeavoring to apply strict firewall rules to ensure only the 
> necessary ports are open.
> 
> In accordance with the configuration (below) I've allowed port 9001:
> 
> #Bridge config
> RunAsDaemon 1
> ORPort 9001
> BridgeRelay 1
> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
> ExtORPort auto
> 
> #Set your bridge nickname and contact info
> ContactInfo <your-contact-info>
> Nickname pick-a-nickname
> 
> I've also allowed port 9051 to enable me to connect to the obfs4 
> server via onionbox.
> 
> After starting the Tor service the Tor logs report,
> 
> Opening Socks listener on 127.0.0.1:9050
> 
> Opening Control listener on 127.0.0.1:9051
> 
> Opening OR listener on 0.0.0.0:9001
> 
> Extended OR listener listening on port XXXXX.
> 
> Registered server transport 'obfs4' at '[::]:33919'
> 
> All of the ports listed (above) appear to be fixed ports that open 
> each time I start/restart Tor. However, the "Extended OR listener 
> listening on port XXXXX" changes on each start/restart.
>  
> I can see the configuration (above) instructs ExtORPort auto.
>  
> I've looked online where there is some advice suggesting the auto 
> setting for ExtORPort is important for security reasons, however, if 
> I'd like to have strict firewall rules the auto setting becomes 
> problematic.
> Currently, I've allowed port 9001 & the Tor logs report,
> 
> Now checking whether ORPort XXX.XXX.XXX.XX:9001 is reachable...
> 
> Self-testing indicates your ORPort is reachable from the outside.
> 
> I'd be grateful for some advice on which ports I should keep open, to 
> ensure I can provide the very best service & good security practice 
> both for the client & the server - thanks :)
> 
> Best regards,
> 
> Kenneth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20181003/da9633a6/attachment.html>

More information about the tor-relays mailing list