Re: [tor-relays] Relay question
On 12/8/23 04:19, Mulloch94 via tor-relays wrote: -A INPUT -j DROP HHm, what's about local traffic, e.g.: -A INPUT --in-interface lo -j ACCEPT or ICMP, e.g.: -A INPUT -p icmp -j ACCEPT To persist your firewall rules take a look at this doc [1] [1] https://github.com/toralf/torutils#quick-start -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
For your firewall settings, you will find everything you need here: https://github.com/Enkidu-6/tor-ddos/ It is the common setting for most Tor operators. Although, I don't think it is the source of your problem and I wouldn't worry too much about it unless it happens repeatedly. The log in "/var/log/syslog" might give you some helpful hints. Denny On 12/07/2023 10:19PM Mulloch94 via tor-relays wrote .. > Greetings, I was directed to this relay subscription by the owner. I've > recently > started my own relay and everything has went smooth for the first few days. > Then > the relay mysteriously went offline for a period of 8-9 hours. Happened while > I > was sleeping I think, but any rate it came back on after I restarted the tor > daemon > and rebooted the server. I'm starting to think my firewall configurations > might > have been the culprit, even though I ran a very rudimentary setup. Basically > just: > -A INPUT -p tcp --dport -j ACCEPT > -A INPUT -p tcp --dport 9050 -j ACCEPT > -A INPUT -p tcp --dport 443 -j ACCEPT > -A INPUT -p tcp --dport 80 -j ACCEPT > -A INPUT -j DROP > > Default ACCEPT on OUTPUT > > My ORPort is on 443, so I don't see how this could be interfering. I noticed > my > server reboot got rid of all my rules, so I'm thinking that could've been the > issue. > If so, what other ports should I add? Do I even need a firewall for the relay? > I don't do anything else with that server, so If it doesn't need a firewall to > stay secure I won't use one. One more thing, I had a flag on my relay that > said > I needed to "update the descriptor." It went away after rebooting my server as > well, could that been the issue? > > Sent with [Proton Mail](https://proton.me/) secure email. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
On Fri, Dec 08, 2023 at 03:19:49AM +, Mulloch94 via tor-relays wrote: > Greetings, I was directed to this relay subscription by the owner. I've > recently started my own relay and everything has went smooth for the first > few days. Then the relay mysteriously went offline for a period of 8-9 hours. What do you mean by offline? The computer was offline? Or, the relay process was not running? Or, the relay process was still running but it was no longer reachable from the outside? Or something else? I think there aren't enough hints so far for us to guess what happened, i.e. there is still some mystery. > Happened while I was sleeping I think, but any rate it came back on after I > restarted the tor daemon and rebooted the server. I'm starting to think my > firewall configurations might have been the culprit, even though I ran a very > rudimentary setup. Basically just: > -A INPUT -p tcp --dport -j ACCEPT > -A INPUT -p tcp --dport 9050 -j ACCEPT > -A INPUT -p tcp --dport 443 -j ACCEPT > -A INPUT -p tcp --dport 80 -j ACCEPT > -A INPUT -j DROP > > Default ACCEPT on OUTPUT I am no iptables expert, but (a) this sounds like it should work, and (b) you probably don't want that 9050 line in there, since your Tor relay's socksport is intended to be only listening on localhost. (Opening up the firewall for 9050 shouldn't hurt any though, so long as Tor still only listens on localhost.) > My ORPort is on 443, so I don't see how this could be interfering. I noticed > my server reboot got rid of all my rules, so I'm thinking that could've been > the issue. If so, what other ports should I add? Do I even need a firewall > for the relay? I don't do anything else with that server, so If it doesn't > need a firewall to stay secure I won't use one. Opinions differ on the importance of firewalls, but technically no, you would be fine without any sort of rules like these, so long as you keep track of what applications are running on the system and make sure things aren't listening on the outside that you didn't intend. If you aren't a confident and experienced sysadmin though, the firewall rules are probably helpful because they simplify the question of how much surface area might be exposed to the world. > One more thing, I had a flag on my relay that said I needed to "update the > descriptor." It went away after rebooting my server as well, could that been > the issue? That sounds normal-ish, and it implies that your relay stopped running somehow, before that reboot. Next step would be to check the Tor logs, check the system logs, otherwise try to better understand what is going on on your computer. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Relay question
Greetings, I was directed to this relay subscription by the owner. I've recently started my own relay and everything has went smooth for the first few days. Then the relay mysteriously went offline for a period of 8-9 hours. Happened while I was sleeping I think, but any rate it came back on after I restarted the tor daemon and rebooted the server. I'm starting to think my firewall configurations might have been the culprit, even though I ran a very rudimentary setup. Basically just: -A INPUT -p tcp --dport -j ACCEPT -A INPUT -p tcp --dport 9050 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -j DROP Default ACCEPT on OUTPUT My ORPort is on 443, so I don't see how this could be interfering. I noticed my server reboot got rid of all my rules, so I'm thinking that could've been the issue. If so, what other ports should I add? Do I even need a firewall for the relay? I don't do anything else with that server, so If it doesn't need a firewall to stay secure I won't use one. One more thing, I had a flag on my relay that said I needed to "update the descriptor." It went away after rebooting my server as well, could that been the issue? Sent with [Proton Mail](https://proton.me/) secure email.___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
Yes, that's right. But our problem is still relevant. Please help us solve it if you know how On 2022-04-12 00:39, Georg Koppen wrote: > onion...@riseup.net: >> I found in syslog file: >> http status 400 ("Fingerprint and/or ed25519 identity is marked rejected >> -- if you think this is a mistake please set a valid email address in >> ContactInfo and send an email to bad-rel...@lists.torproject.org >> mentioning your fingerprint(s)?") response from dirserver >> 131.188.40.189:80. Please correct. >> http status 400 ("Fingerprint and/or ed25519 identity is marked rejected >> -- if you think this is a mistake please set a valid email address in >> ContactInfo and send an email to bad-rel...@lists.torproject.org >> mentioning your fingerprint(s)?") response from dirserver >> 86.59.21.38:80. Please correct. >> http status 400 ("Fingerprint and/or ed25519 identity is marked rejected >> -- if you think this is a mistake please set a valid email address in >> ContactInfo and send an email to bad-rel...@lists.torproject.org >> mentioning your fingerprint(s)?") response from dirserver >> 199.58.81.140:80. Please correct. >> http status 400 ("Fingerprint and/or ed25519 identity is marked rejected >> -- if you think this is a mistake please set a valid email address in >> ContactInfo and send an email to bad-rel...@lists.torproject.org >> mentioning your fingerprint(s)?") response from dirserver >> 154.35.175.225:80. Please correct. >> http status 400 ("Fingerprint and/or ed25519 identity is marked rejected >> -- if you think this is a mistake please set a valid email address in >> ContactInfo and send an email to bad-rel...@lists.torproject.org >> mentioning your fingerprint(s)?") response from dirserver >> 204.13.164.118:80. Please correct. >> Unable to find IPv6 address for ORPort 443. You might want to specify >> IPv4Only to it or set an explicit address or set Address. [60 similar >> message(s) suppressed in last 3540 seconds] >> >> >> Torrc file attached. VPS servers are online and working. >> I setup IPv6 on one VPS and restarted tor, but it doesn't solve the >> problem fully. > > FWIW we are working on this on the bad-relays@ list. > > Georg > >> >> >> On 2022-04-11 06:34, li...@for-privacy.net wrote: >>> On Sunday, April 10, 2022 2:04:02 AM CEST onion...@riseup.net wrote: > 30 new exits at Frantec. Did you follow the AUP and send Francisco a > ticket > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! > https://buyvm.net/acceptable-use-policy/ No, we did not pay attention to their AUP. We have long been using their services for proxy and there were no problems. Thank you for reminding. > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you > need help setting it up, you can ask here and specify your OS. We think that IPv6 is rarely used and therefore did not put it up. >>> >>> The Tor project has invested a lot of time and effort into improving IPv6 >>> over >>> the last few years. The aim is to also enable IPv6 only relays. We want to >>> achieve more diversity, Tor-exit relays under different ASNs and multiple >>> ISPs. With IPv4 this is difficult. IP's are empty and to get a /24 you have >>> to >>> pay around 5000,- EUR in the first year with RIPE. One /24 is the least you >>> can announce as an ASN. You can't split that between different data centers. >>> IPv6 is easier and cheaper to get. In addition, there are more and more ISPs >>> that only offer IPv6. >>> >>> IPv6 only relays are only possible when almost all Tor relays support it. >>> Currently about 75% Tor exits¹ and 50% entry/middle relays. >>> https://nusenu.github.io/OrNetStats/#ipv6-relay-stats >>> Therefore, anyone who can should configure IPv6 or dual stack. >>> Site yui.cat shows that our nodes offline because not configured IPv6, right? >>> >>> No, yui.cat has nothing to do with it. This is a private status page using >>> data from onionoo and Tor-metrics. >>> First look at what's in the syslog. If you need help then post the errors >>> and >>> your torrc. >>> When the Tor daemon is running without errors than as already mentioned, I >>> think Francisco took you offline because your relays were blacklisted for >>> open >>> SMTP ports. Check if you have tickets in stallion. Or ask in the Frantech >>> community chat on Discord, Matrix and IRC. >>> >>> ¹Heck, we've lost some IPv6 % since relayon is down. :-( >>> >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>> >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org >
Re: [tor-relays] Relay question
onion...@riseup.net: I found in syslog file: http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 131.188.40.189:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 86.59.21.38:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 199.58.81.140:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 154.35.175.225:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 204.13.164.118:80. Please correct. Unable to find IPv6 address for ORPort 443. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds] Torrc file attached. VPS servers are online and working. I setup IPv6 on one VPS and restarted tor, but it doesn't solve the problem fully. FWIW we are working on this on the bad-relays@ list. Georg On 2022-04-11 06:34, li...@for-privacy.net wrote: On Sunday, April 10, 2022 2:04:02 AM CEST onion...@riseup.net wrote: 30 new exits at Frantec. Did you follow the AUP and send Francisco a ticket _beforehand_? Reverse DNS! Exit policy Port: 465, 587! https://buyvm.net/acceptable-use-policy/ No, we did not pay attention to their AUP. We have long been using their services for proxy and there were no problems. Thank you for reminding. You only set up IPv4. At Frantek you also have IPv6 on every VM. If you need help setting it up, you can ask here and specify your OS. We think that IPv6 is rarely used and therefore did not put it up. The Tor project has invested a lot of time and effort into improving IPv6 over the last few years. The aim is to also enable IPv6 only relays. We want to achieve more diversity, Tor-exit relays under different ASNs and multiple ISPs. With IPv4 this is difficult. IP's are empty and to get a /24 you have to pay around 5000,- EUR in the first year with RIPE. One /24 is the least you can announce as an ASN. You can't split that between different data centers. IPv6 is easier and cheaper to get. In addition, there are more and more ISPs that only offer IPv6. IPv6 only relays are only possible when almost all Tor relays support it. Currently about 75% Tor exits¹ and 50% entry/middle relays. https://nusenu.github.io/OrNetStats/#ipv6-relay-stats Therefore, anyone who can should configure IPv6 or dual stack. Site yui.cat shows that our nodes offline because not configured IPv6, right? No, yui.cat has nothing to do with it. This is a private status page using data from onionoo and Tor-metrics. First look at what's in the syslog. If you need help then post the errors and your torrc. When the Tor daemon is running without errors than as already mentioned, I think Francisco took you offline because your relays were blacklisted for open SMTP ports. Check if you have tickets in stallion. Or ask in the Frantech community chat on Discord, Matrix and IRC. ¹Heck, we've lost some IPv6 % since relayon is down. :-( ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
I found in syslog file: http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 131.188.40.189:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 86.59.21.38:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 199.58.81.140:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 154.35.175.225:80. Please correct. http status 400 ("Fingerprint and/or ed25519 identity is marked rejected -- if you think this is a mistake please set a valid email address in ContactInfo and send an email to bad-rel...@lists.torproject.org mentioning your fingerprint(s)?") response from dirserver 204.13.164.118:80. Please correct. Unable to find IPv6 address for ORPort 443. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds] Torrc file attached. VPS servers are online and working. I setup IPv6 on one VPS and restarted tor, but it doesn't solve the problem fully. On 2022-04-11 06:34, li...@for-privacy.net wrote: > On Sunday, April 10, 2022 2:04:02 AM CEST onion...@riseup.net wrote: >> > 30 new exits at Frantec. Did you follow the AUP and send Francisco a >> > ticket >> > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! >> > https://buyvm.net/acceptable-use-policy/ >> >> No, we did not pay attention to their AUP. We have long been using their >> services for proxy and there were no problems. Thank you for reminding. >> >> > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you >> > need help setting it up, you can ask here and specify your OS. >> >> We think that IPv6 is rarely used and therefore did not put it up. > > The Tor project has invested a lot of time and effort into improving IPv6 > over > the last few years. The aim is to also enable IPv6 only relays. We want to > achieve more diversity, Tor-exit relays under different ASNs and multiple > ISPs. With IPv4 this is difficult. IP's are empty and to get a /24 you have > to > pay around 5000,- EUR in the first year with RIPE. One /24 is the least you > can announce as an ASN. You can't split that between different data centers. > IPv6 is easier and cheaper to get. In addition, there are more and more ISPs > that only offer IPv6. > > IPv6 only relays are only possible when almost all Tor relays support it. > Currently about 75% Tor exits¹ and 50% entry/middle relays. > https://nusenu.github.io/OrNetStats/#ipv6-relay-stats > Therefore, anyone who can should configure IPv6 or dual stack. > >> Site >> yui.cat shows that our nodes offline because not configured IPv6, right? > > No, yui.cat has nothing to do with it. This is a private status page using > data from onionoo and Tor-metrics. > First look at what's in the syslog. If you need help then post the errors and > your torrc. > When the Tor daemon is running without errors than as already mentioned, I > think Francisco took you offline because your relays were blacklisted for > open > SMTP ports. Check if you have tickets in stallion. Or ask in the Frantech > community chat on Discord, Matrix and IRC. > > ¹Heck, we've lost some IPv6 % since relayon is down. :-( > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Nickname Chive MyFamily 9EC5083BC187C911841B1CAFAD9EE634CEB90EC4, 1030A18BAB85D2308E4FAD8A95BE456006F0, F81C34435CA08B81105B3C77CF29EE7824652BFB, C7D8C094D2885FBD378A6974612B04D4BE4B978C, 77D56000E85455708C5D45D2DD2D6AB32E46E4CB, 0D47B7FFDB9E0FD4913A7C38FC114533AF42EC6A, 11096F1079E442FFF76A1981F5815959C8C96B2A, 606CA0C1C7A40F7A27A233F0A32AABAA41464592, DA54B320BFAAED7E48A7DCB90EDB11FC46B2FB65, 64CB875321E6DB7574E4BB2BB5F549494406B62D, 331CCDB53AE3DF933AE2188C03F653589E78CD7D, 2749970D0B5A0ABC4154D61C42A67C70CFAF5F6B, 824CCE7FDC4E03300AE89017CA75F1671AE46A19, 5CF33DE98C9BB2C7FEE5299F1A45439B0DB2EA73, FCCDA0F529B950A7A2E8D6F12596918AAA7BF973, 44EFF9A121F3F3FC300FF6DE851159AFEC5541FB, B6B968107D696AD793943350DDCD62BE362B2286,
Re: [tor-relays] Relay question
On Sunday, April 10, 2022 2:04:02 AM CEST onion...@riseup.net wrote: > > 30 new exits at Frantec. Did you follow the AUP and send Francisco a > > ticket > > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! > > https://buyvm.net/acceptable-use-policy/ > > No, we did not pay attention to their AUP. We have long been using their > services for proxy and there were no problems. Thank you for reminding. > > > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you > > need help setting it up, you can ask here and specify your OS. > > We think that IPv6 is rarely used and therefore did not put it up. The Tor project has invested a lot of time and effort into improving IPv6 over the last few years. The aim is to also enable IPv6 only relays. We want to achieve more diversity, Tor-exit relays under different ASNs and multiple ISPs. With IPv4 this is difficult. IP's are empty and to get a /24 you have to pay around 5000,- EUR in the first year with RIPE. One /24 is the least you can announce as an ASN. You can't split that between different data centers. IPv6 is easier and cheaper to get. In addition, there are more and more ISPs that only offer IPv6. IPv6 only relays are only possible when almost all Tor relays support it. Currently about 75% Tor exits¹ and 50% entry/middle relays. https://nusenu.github.io/OrNetStats/#ipv6-relay-stats Therefore, anyone who can should configure IPv6 or dual stack. > Site > yui.cat shows that our nodes offline because not configured IPv6, right? No, yui.cat has nothing to do with it. This is a private status page using data from onionoo and Tor-metrics. First look at what's in the syslog. If you need help then post the errors and your torrc. When the Tor daemon is running without errors than as already mentioned, I think Francisco took you offline because your relays were blacklisted for open SMTP ports. Check if you have tickets in stallion. Or ask in the Frantech community chat on Discord, Matrix and IRC. ¹Heck, we've lost some IPv6 % since relayon is down. :-( -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
> 30 new exits at Frantec. Did you follow the AUP and send Francisco a ticket > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! > https://buyvm.net/acceptable-use-policy/ No, we did not pay attention to their AUP. We have long been using their services for proxy and there were no problems. Thank you for reminding. > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you need > help setting it up, you can ask here and specify your OS. We think that IPv6 is rarely used and therefore did not put it up. Site yui.cat shows that our nodes offline because not configured IPv6, right? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
On Saturday, April 9, 2022 9:36:40 AM CEST onion...@riseup.net wrote: > Hello, I have a question for other operators of the Tor. I started the > nodes recently. On yui.cat status is displayed as offline > (https://yui.cat/family/F81C34435CA08B81105B3C77CF29EE7824652BFB/, > https://metrics.torproject.org/rs.html#search/family:8CD3507662A9946899CFE37 > BAA49B6AA58ED3E1D)? I did everything according to the instructions, the > server work, the Tor process is running. Yesterday everything was displayed > normally on yui.cat. I'm new relay operator, I do not know why it happens. 30 new exits at Frantec. Did you follow the AUP and send Francisco a ticket _beforehand_? Reverse DNS! Exit policy Port: 465, 587! https://buyvm.net/acceptable-use-policy/ You only set up IPv4. At Frantek you also have IPv6 on every VM. If you need help setting it up, you can ask here and specify your OS. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Relay question
Hello, I have a question for other operators of the Tor. I started the nodes recently. On yui.cat status is displayed as offline (https://yui.cat/family/F81C34435CA08B81105B3C77CF29EE7824652BFB/, https://metrics.torproject.org/rs.html#search/family:8CD3507662A9946899CFE37BAA49B6AA58ED3E1D)? I did everything according to the instructions, the server work, the Tor process is running. Yesterday everything was displayed normally on yui.cat. I'm new relay operator, I do not know why it happens. Is this normal? Has anyone had the same situation? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays