Re: [tor-relays] Question Re: firewall rules for obfs4 bridge relay

Wed, 03 Oct 2018 06:16:01 -0700 

Hi Kenneth,
find the answers here: https://lists.torproject.org/pipermail/tor-relays/2018-July/015748.html It would be great to add that to the guide at https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy ^^. 
 

Hello,
I'm in the process of setting up a couple of obfs4 bridge relays on Ubuntu server 18.04. 
I'm endeavoring to apply strict firewall rules to ensure only the necessary ports are open. 

In accordance with the configuration (below) I've allowed port 9001:

#Bridge config
RunAsDaemon 1
ORPort 9001
BridgeRelay 1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto

#Set your bridge nickname and contact info
ContactInfo <your-contact-info>
Nickname pick-a-nickname
I've also allowed port 9051 to enable me to connect to the obfs4 server via onionbox. 

After starting the Tor service the Tor logs report,

Opening Socks listener on 127.0.0.1:9050

Opening Control listener on 127.0.0.1:9051

Opening OR listener on 0.0.0.0:9001

Extended OR listener listening on port XXXXX.

Registered server transport 'obfs4' at '[::]:33919'
All of the ports listed (above) appear to be fixed ports that open each time I start/restart Tor. However, the "Extended OR listener listening on port XXXXX" changes on each start/restart. 
 
I can see the configuration (above) instructs ExtORPort auto.
 
I've looked online where there is some advice suggesting the auto setting for ExtORPort is important for security reasons, however, if I'd like to have strict firewall rules the auto setting becomes problematic. 
Currently, I've allowed port 9001 & the Tor logs report,

Now checking whether ORPort XXX.XXX.XXX.XX:9001 is reachable...

Self-testing indicates your ORPort is reachable from the outside.
I'd be grateful for some advice on which ports I should keep open, to ensure I can provide the very best service & good security practice both for the client & the server - thanks :) 

Best regards,

Kenneth

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to