Hi everybody >>> Does a particular Tor server/client will open more than 1 >>> connection at a time from to the DirPort ?
>> If you're worried about denial of service issues on the DirPort, >> maybe the simple answer is to turn off the DirPort? I think the >> only real impact might have something to do with whether old >> clients believe that you're a usable guard. > understood - removed those iptables rules Good discussion. My experience is protecting the dirport makes sense to avoid ddos attempts. During my Debian times this rule worked fine for me: /sbin/iptables -A INPUT -p tcp -d $IPEXT --dport 80 -j ACCEPT -m limit --limit 5/s --limit-burst 50 On FreeBSB I go with something like: pass in on $IFEXT inet proto tcp from !<blockDIR> to $IPEXT port 80 flags S/SA keep state (max 150,max-src-states 50,max-src-conn 50, max-src-conn-rate 20/10,overload <blockDIR>) # release the blockDIR after some hours pfctl -t blockDIR -T expire 7200 # hourly cron job -- Cheers, Felix _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays