[tor-relays] Question Re: firewall rules for obfs4 bridge relay

torrelay.europa at keemail.me torrelay.europa at keemail.me
Wed Oct 3 21:45:40 UTC 2018 

Thanks for the link & clarification.
Best regards,
Kenneth

3. Oct 2018 14:15 by entensaison at use.startmail.com <mailto:entensaison at use.startmail.com>:


> Hi Kenneth,
> find the answers here: > https://lists.torproject.org/pipermail/tor-relays/2018-July/015748.html <https://lists.torproject.org/pipermail/tor-relays/2018-July/015748.html>
> It would be great to add that to the guide at> https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy <https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy>>  ^^.
>  
>> Hello,
>>
>> I'm in the process of setting up a couple of obfs4 bridge relays on Ubuntu server 18.04. 
>>
>> I'm endeavoring to apply strict firewall rules to ensure only the necessary ports are open.
>>
>> In accordance with the configuration (below) I've allowed port 9001:
>>
>> #Bridge config
>> RunAsDaemon 1
>> ORPort 9001
>> BridgeRelay 1
>> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
>> ExtORPort auto
>>
>> #Set your bridge nickname and contact info
>> ContactInfo <your-contact-info>
>> Nickname pick-a-nickname
>>
>> I've also allowed port 9051 to enable me to connect to the obfs4 server via onionbox.
>>
>> After starting the Tor service the Tor logs report,
>>
>> Opening Socks listener on 127.0.0.1:9050
>>
>> Opening Control listener on 127.0.0.1:9051
>>
>> Opening OR listener on 0.0.0.0:9001
>>
>> Extended OR listener listening on port XXXXX.
>>
>> Registered server transport 'obfs4' at '[::]:33919'
>>
>> All of the ports listed (above) appear to be fixed ports that open each time I start/restart Tor. However, the"Extended OR listener listening on port XXXXX" changes on each start/restart.
>>  >> I can see the configuration (above) instructs ExtORPort auto.>>  >> I've looked online where there is some advice suggesting the auto setting for ExtORPort is important for securityreasons, however, if I'd like to have strict firewall rules the auto setting becomes problematic.
>> Currently, I've allowed port 9001 & the Tor logs report,
>>
>> Now checking whether ORPort XXX.XXX.XXX.XX:9001 is reachable...
>>
>> Self-testing indicates your ORPort is reachable from the outside.
>>
>> I'd be grateful for some advice on which ports I should keep open, to ensure I can provide the very best service &good security practice both for the client & the server - thanks :)
>>
>> Best regards,
>>
>> Kenneth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20181003/0ab587c5/attachment-0001.html>

More information about the tor-relays mailing list