On 23 Oct 2017, at 05:14, Igor Mitrofanov igor.n.mitrofanov@gmail.com wrote:
On my relays I am dropping any traffic that Tor itself does not rely on. I wonder if I should allow or block incoming and/outgoing ICMP type 11 (time exceeded / timeout in transit)?
Try it and see?
My host does receive some ICMP type 11 packets, and does seem to send some out, but I am not sure if Tor is the source or destination. Do Tor relays use some 'traceroute'-like mechanism to detect unreachable relays?
Not as far as I am aware.
"netstat -s: ... ICMP input histogram: ... timeout in transit: 1923 ... ICMP output histogram: ... timeout in transit: 1277 " I remember seeing outgoing TCP packets with TTL set to 1 - those were the ones triggering incoming ICMP type 11 packets.
Are you running an exit? Do you have multiple IP addresses? Using OutboundBindAddressExit can help you to find out if it's tor relaying traffic, or tor exit traffic from clients that are doing TCP traceroutes.
T