TOR always on, is this a vulnerability?

By leaving TOR always up and running in IPFire, can it compromise security in any way?
Thank you in advance.

No, it doesn’t afaik.
Keep in mind that some websites block known ip’s from exit relays and some (fewer) websites block all known relay ip’s (so middle and guard relays as well). The latter has no use at all, but it is just what happens sometimes. (Should you want to run an exit relay, please inform yourself about the risks involved).
So if you are running a relay on your IPFire firewall, some website may block your IP address forever.
That’s the only drawback I can find. If you are running a bridge or the socksproxy you should be fine.

1 Like

Thank you very much.
I on IPFire have configured TOR this way and it seems to work perfectly:

So I can leave it on like this 24 hours a day?

Yes, there will be no vulnerability in your firewall that I know of.

Two things to think about:

  • You have configured a relay (thanks for that!). Be aware that some sites may block your IP address for that. So better not do this from your home / company / school IP-address if that IP-address is also used for internet access.
  • You allow for unlimited bandwidth. Over time your relay will take all the bandwidth can get. It will only be limited by your processor/memory capacity or your available bandwidth.

Edit: It’s Tor (not TOR) :slight_smile:


I am not an expert on Tor :pensive:.

What happens in this condition?

Relay port (9001), should it be open in the router?

I don’t run a relay on my IPFire since long so I am not sure, but I think the Relay port should open automatically. The Tor logfile should indicate that your ORPort (=relay port) is reachable! If not, the relay is not functional. I think the Tor logfile is in /var/log/tor or something like that. (On Debian it logs to /var/log/syslog).

A Relay is part of the Tor network.
For more info on Tor maybe this is a good start. (Not sure about your native language, but also in Spanish).

For more info about the lifecycle of new relay see:

If you enter a Relay nickname (can be anything) you can search for your relay on (Will take a few hours)

You can ask further questions about Tor on

1 Like

Yes, I read in the Wiki that IPFire automatically opens the Relay port.
And that made me suspect that 9001 must be open.
I have a NAT. If IPFire opens the 9001 port automatically, I’m afraid that if I don’t set a Port Forward in my router, the 9001 port will still be closed from the outside.
And I may be right. I found this in the logs:

Apr 26 14:06:30	Tor	1c	daemon	warning	Tor[5186]: Your server has not managed to confirm reachability for its ORPort(s) at Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. 

I will study the links sent, with the help of my translator friend “DeepL”.
Thank you very much for the valuable information :blush:.

I don’t know what your infra looks like, but if you have a NAT router between IPFire and Internet, you should indeed port-forward port 9001 to your IPFire RED IP-address on that router.

Forgot to mention. Do not enable the TOR blocklists in Firewall → IP Address Blocklist. I think they will block connections from your relay to other relays (and vice versa), your relay will be of no use in that case.