Re: [tor-relays] Relay usage dropped 9x when enabling UFW. What UFW rules do other relay operators enact?

lists · June 19, 2024, 2:47pm

I have never used a frontend for IP/nftables. I have no idea what the scripts produce and whether they are correct.
The beauty of UNIX/Linux are the human-readable config text files that you can comment on as you wish.

Here are my tor-related UFW rules;
To Action From
-- ------ ----
[ 3] 9001 ALLOW IN Anywhere
[11] 9001 (v6) ALLOW IN Anywhere (v6)

I'm really confused how UFW firewalled most, but not all, of my relays
traffic. What UFW rules do other relay operators enact?

Maybe you could post your entire FW ruleset. ((Use pastebin)

First, no output filters: :OUTPUT ACCEPT

Here are default IP/nftables rules for Tor relays:

github.com

boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    chain input_ipv4 {
        # Accepting ping (icmp-echo-request) for diagnostic purposes.
        # This sample accepts them within a certain rate limit:
        icmp type echo-request limit rate 5/second accept
    }

    chain input_ipv6 {
        # Accept neighbour discovery otherwise connectivity breaks.
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

        # Accepting ping (icmpv6-echo-request) for diagnostic purposes.
        # This sample accepts them within a certain rate limit:
        icmpv6 type echo-request limit rate 5/second accept
    }

This file has been truncated. show original

Here are my current nftables on my Frantech Exits:

You don't need to set up dynamic DDoS policies there. Francisco already does that on his Junipers.

···

On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote:

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!