[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to Run High Capacity Tor Relays (stateless iptables filtering)

On Mon, Aug 30, 2010 at 4:30 PM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> ...
> It wasn't clear to me that tarpitting can be set up without a
> RELATED,ESTABLISHED rule before it.. Also, this is not integrated into
> the kernel or iptables yet either, right?

The tarpit rule doesn't use any connection tracking; whether you have
RELATED,ESTABLISHED matches before (less ideal) or after (better, less
to track) the functionality is the same.

As mentioned in the docs, you want to TARPIT first if possible so you
avoid any connection tracking penalty on the TARPIT'ed sessions; they
can last a loooong time :)

for TARPIT target support, you can grab older patch-o-matic variants,
or direct patches:

there might be other sources, and your distro of choice may even
include support for it in an extended repo somewhere...