Thanks for the reply. What would be a reasonable per-ip rate limit
(connections per second) for a Tor middle relay?
On _Freebsd_ the following pf settings apply for running tor in a Jail:
table <blockOR1> persist
MAXSRCCONN = "50"
MAXSRCCONNRATE = "5/5"
nat on $IFEXT inet from $IPTOR1 to any -> $IP1
rdr on $IFEXT inet proto tcp from !<blockOR1> to $IP1 port XXX ->
$IPTOR1 port YYY pass in on $IFEXT inet proto tcp from any to $IPTOR1
port YYY flags S/SA modulate state (max-src-conn
$MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush)
Running Tor on host could be something like:
table <blockOR1> persist
MAXSRCCONN = "50"
MAXSRCCONNRATE = "5/5"
pass in on $IFEXT inet proto tcp from !<blockOR1> to $IPTOR1 port YYY
flags S/SA modulate state (max-src-conn
$MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1>
flush)
The MAX* values are very tight because of the latest DOS experiences.
Feel freee to adjust them to your needs.