On Wed, Jul 03, 2019 at 02:09:02AM +0000, torix@protonmail.com wrote:
Looking at the new, improved instructions for Debian/Ubuntu obfs4 bridges, I am confused by the talk about a fixed obfs4 bridge port. The line to do this is commented out. Does that mean it is optional to give obfs4 a fixed port? If it were a random port, however, I'd need a lot of open ports on my firewall...
We recommend to not set ServerTransportListenAddr and keep the "ORPort auto" setting, which makes Tor pick a random OR and obfs4 port for you. These random ports persist across restarts, so you only have to forward them once -- at least as long as you keep your data directory. We don't provide a static port in the sample config because we don't want operators to end up with the same port. If that was the case, censors could scan the IPv4 address space for these ports and block all bridges they find that way.
That said, feel free to choose your own obfs4 port. For example, we could use more bridges whose obfs4 port is 443. Just avoid port 9001 as it's commonly associated with Tor and an attractive target for Internet-wide scanning.
I hope this clears things up a bit.
Cheers, Philipp