[tor-relays] Relay usage dropped 9x when enabling UFW. What UFW rules do other relay operators enact?
boldsuck
lists at for-privacy.net
Wed Jun 19 14:47:05 UTC 2024
On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote:
I have never used a frontend for IP/nftables. I have no idea what the scripts produce and whether they are correct.
The beauty of UNIX/Linux are the human-readable config text files that you can comment on as you wish.
> Here are my tor-related UFW rules;
> To Action From
> -- ------ ----
> [ 3] 9001 ALLOW IN Anywhere
> [11] 9001 (v6) ALLOW IN Anywhere (v6)
>
> I'm really confused how UFW firewalled most, but not all, of my relays
> traffic. What UFW rules do other relay operators enact?
Maybe you could post your entire FW ruleset. ((Use pastebin)
First, no output filters: :OUTPUT ACCEPT
Here are default IP/nftables rules for Tor relays:
https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables
https://github.com/boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.conf
Here are my current nftables on my Frantech Exits:
https://paste.systemli.org/?052a70208b22aebe#4b8qoJU9MrPgopfhm9HPxARTwXmWVkwBP5XrVFMKqfgD
You don't need to set up dynamic DDoS policies there. Francisco already does that on his Junipers.
--
╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240619/68fa3106/attachment.sig>
More information about the tor-relays
mailing list