[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to Run High Capacity Tor Relays



Am 27.08.2010 01:57, schrieb tor_ml:
> 
> example:
> if you had this ruleset _using_ conntrack:
> 
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,443
> -j ACCEPT
> -A INPUT -j DROP
> (I assume OUTPUT is unfiltered [ACCEPT])
> 
> I would rewrite it to the following if you have to _omit_ connection
> tracking and want to have unfiltered outbound traffic
> 
> -A INPUT -m multiport -p tcp --dports 22,443 -j ACCEPT
> -A INPUT -p tcp --syn -j DROP (this is the short equivalent to your rule)
> (INPUT policy is ACCEPT)

I found all the fancy Linux netfilter and conntrack kernel module stuff
having unwanted side effects and decided not using them on blutmagie.
Connection tracking involves a lot of overhead keeping track of >1000
changes per second in tcp session table. And with a conntrack table
completely filled up you won't even be able to login with ssh. So if
someone is going to dos the machine one is helpless without dedicate
remote console access bypassing the Linux kernel.

Regarding tcp scanning I see no point in wasting cpu time blocking them
using iptables and netfilter, as long as applications and kernel's ip
stack are considered safe.

just my 0.02€
Olaf