[tor-relays] Question Re: firewall rules for obfs4 bridge relay [addendum]

Wed, 03 Oct 2018 05:23:01 -0700 

PS - forgot to state that I'm using ufw firewall. 
Date: 3. Oct 2018 13:16From: torrelay.eur...@keemail.me 
<mailto:torrelay.eur...@keemail.me>
To: tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>
Subject: Question Re: firewall rules for obfs4 bridge relay


> Hello,
>
> I'm in the process of setting up a couple of obfs4 bridge relays on Ubuntu 
> server 18.04.  
>
> I'm endeavoring to apply strict firewall rules to ensure only the necessary 
> ports are open. 
>
> In accordance with the configuration (below) I've allowed port 9001:
>
> #Bridge config
> RunAsDaemon 1
> ORPort 9001
> BridgeRelay 1
> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
> ExtORPort auto
>
> #Set your bridge nickname and contact info
> ContactInfo <your-contact-info>
> Nickname pick-a-nickname
>
> I've also allowed port 9051 to enable me to connect to the obfs4 server via 
> onionbox.
>
> After starting the Tor service the Tor logs report,
>
> Opening Socks listener on 127.0.0.1:9050
>
> Opening Control listener on 127.0.0.1:9051
>
> Opening OR listener on 0.0.0.0:9001
>
> Extended OR listener listening on port XXXXX.
>
> Registered server transport 'obfs4' at '[::]:33919'
>
> All of the ports listed (above) appear to be fixed ports that open each time 
> I start/restart Tor. However, the "Extended OR listener listening on port 
> XXXXX" changes on each start/restart. 
>
> I can see the configuration (above) instructs ExtORPort auto. 
>
> I've looked online where there is some advice suggesting the auto setting for 
> ExtORPort is important for security reasons, however, if I'd like to have 
> strict firewall rules the auto setting becomes problematic.
> Currently, I've allowed port 9001 & the Tor logs report,
>
> Now checking whether ORPort XXX.XXX.XXX.XX:9001 is reachable...
>
> Self-testing indicates your ORPort is reachable from the outside. 
>
> I'd be grateful for some advice on which ports I should keep open, to ensure 
> I can provide the very best service & good security practice both for the 
> client & the server - thanks :)
>
> Best regards,
>
> Kenneth
>
>
>
>
>
>
>
>
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to