[Tor-BSD] OpenBSD pf rules...
libertas at mykolab.com
Wed Nov 26 20:38:17 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Right. I was operating under the assumption that a subset of the
network's ORPorts was going to be chosen, as there are just so many.
Restricting outgoing connections to all of them (or a subset) seems
like security theater to me. It's quite possible that I'm missing
something, but I can't imagine a situation in which that would
significantly increase security.
Additionally, you'd have to make sure that whatever was remotely
fetching the ORPort data and updating the pf table didn't gum up the
For context, I suddenly joined this conversation because I configured
a Tor exit node on OpenBSD today, including its pf.conf. I'm currently
allowing all outgoing connections, which the OpenBSD Freenode channel
On 11/26/2014 07:57 PM, teor wrote:
>> I was just thinking of outgoing port-specific filtering in terms
>> of the amount of complexity and overhead it adds, and the fact
>> that it makes one's relay a worse Tor citizen.
> If you filter ports that Tor wants to connect on, then yes, it
> would make you a worse Tor citizen.
> But if you get the port list to match your Exit Policy + Remote
> ORPorts, surely no-one would ever notice?
> teor pgp 0xABFED1AC hkp://pgp.mit.edu/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Tor-BSD