Thanks guys, Your experience is really helpful. After some thoughts now I'm allowing only incoming tcp ports 443 and ssh outgoing tcp port 443 I haven't enabled the Dirport. Heard all tor relays are dir mirrors by default. Later I will read the nsa, Linux hardening guide. It looks good. Thanks for sharing.