[tor-relays] Question Re: firewall rules for obfs4 bridge relay
entensaison at use.startmail.com
entensaison at use.startmail.com
Wed Oct 3 13:15:27 UTC 2018
Hi Kenneth,
find the answers here:
https://lists.torproject.org/pipermail/tor-relays/2018-July/015748.html
It would be great to add that to the guide at
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy
^^.
> Hello,
>
> I'm in the process of setting up a couple of obfs4 bridge relays on
> Ubuntu server 18.04.
>
> I'm endeavoring to apply strict firewall rules to ensure only the
> necessary ports are open.
>
> In accordance with the configuration (below) I've allowed port 9001:
>
> #Bridge config
> RunAsDaemon 1
> ORPort 9001
> BridgeRelay 1
> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
> ExtORPort auto
>
> #Set your bridge nickname and contact info
> ContactInfo <your-contact-info>
> Nickname pick-a-nickname
>
> I've also allowed port 9051 to enable me to connect to the obfs4
> server via onionbox.
>
> After starting the Tor service the Tor logs report,
>
> Opening Socks listener on 127.0.0.1:9050
>
> Opening Control listener on 127.0.0.1:9051
>
> Opening OR listener on 0.0.0.0:9001
>
> Extended OR listener listening on port XXXXX.
>
> Registered server transport 'obfs4' at '[::]:33919'
>
> All of the ports listed (above) appear to be fixed ports that open
> each time I start/restart Tor. However, the "Extended OR listener
> listening on port XXXXX" changes on each start/restart.
>
> I can see the configuration (above) instructs ExtORPort auto.
>
> I've looked online where there is some advice suggesting the auto
> setting for ExtORPort is important for security reasons, however, if
> I'd like to have strict firewall rules the auto setting becomes
> problematic.
> Currently, I've allowed port 9001 & the Tor logs report,
>
> Now checking whether ORPort XXX.XXX.XXX.XX:9001 is reachable...
>
> Self-testing indicates your ORPort is reachable from the outside.
>
> I'd be grateful for some advice on which ports I should keep open, to
> ensure I can provide the very best service & good security practice
> both for the client & the server - thanks :)
>
> Best regards,
>
> Kenneth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20181003/da9633a6/attachment.html>
More information about the tor-relays
mailing list