[tor-relays] Bridge node configurations and where to find them (semi quote)

Wed Aug 28 00:12:00 UTC 2024

On Dienstag, 27. August 2024 00:44:02 CEST Roger Dingledine wrote:

> > BridgeRelay 1
> > ORPort <port>
> > ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
> > ServerTransportListenAddr obfs4 0.0.0.0:<port>
> > ExtORPort auto
> > ExitPolicy reject *:*
> > ```
> 
> Looks good. You don't need the ExitPolicy line (you're just setting it
> to the default), but it doesn't hurt to have it there.

Yes, ExitPolicy reject *:* is default on non Exit relays but
Socks port 9050 is open by default, I close it when not needed.

SocksPort 0
SocksPolicy reject *

the same applies to ControlPort:

ControlPort 0

Once your bridge has been running stable for a few weeks, an advanced but 
experimental feature is to hide OrPort.

ORPort 127.0.0.1:<port>
ORPort [::1]:<port>
AssumeReachable 1

> 
> > I have set two limits on the connections:
> > ```
> > BandwidthRate 300 MBytes  # I want to determine how much bandwidth I can
> > allocate without impacting my network usage. IPv4Only
> > ```
> 
> That's a huge bandwidthrate, so I expect your bridge will never get
> anywhere close to reaching it. This is fine too. Also be sure to learn
> about 'BandwidthBurst' in case its behavior is surprising to you.
> 
If a bridge reaches 20-30 MBytes, that's already a lot. There are only very 
few (guard|exit) relays on Tor-Metrics that reach 100 MBytes.

> Should an anti DDoS system be configured?
You don't need that with a bridge, nor sysctl foo with a 1G nic and 1 - 2 
relays. Apart from disabling ipv6 autoconf & dad, I leave the Debian defaults.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240828/d2c6e456/attachment.sig>