[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to Run High Capacity Tor Relays (stateless iptables filtering)

To: tor-relays@xxxxxxxxxxxxxx
Subject: Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 30 Aug 2010 13:11:50 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-relays-outgoing@xxxxxxxx
Delivered-to: tor-relays@xxxxxxxxxxxxxx
Delivery-date: Mon, 30 Aug 2010 16:12:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=CG1qK4SW8sxzu2Bo2PqkFwHISFUBVuwbMY0oKVlKeDQ=; b=XcJ1+7MMFWqyMcMFPEFW4CZ702nzFTuiWL+7vi0Sa0ObApY0HpTgcwpaX8Q7Fo6oVS uUUwc4L/iTjShTY8BQNG5VmF/QjhHChlII0xingMYCK8Hy30kJhkkIWdKpQWnnu1NcwK hE7R/qsDTQlH/zMDn5it7KwS4lupVbHIYqPEc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Q9yX1pQdVCteAS7G6mAwddT+d6ac0u3n/z7xHcXFGyeXDER6T2nari49BBrMHu4Cgl MdojdYRrGoJRst08ZO+iz6rZe2rRwPABzbUqcwu2/0JTT5k5yNHCHHDft3US0A08WdwF QWl0eShmgEYmTOiYmBwA+eM3I76+kNGPF9wjI=
In-reply-to: <4C7792E7.3070605@xxxxxxxxx>
References: <4C7792E7.3070605@xxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxx
Sender: owner-tor-relays@xxxxxxxxxxxxxx

On Fri, Aug 27, 2010 at 3:26 AM, tor_ml <tor_ml@xxxxxxxxx> wrote:
>...
> but in general there is also another way (or many other ways) to close a
> connection:
> "
> It is also possible to terminate the connection by a 3-way handshake, when
> host A sends a FIN and host B replies with a FIN & ACK (merely combines 2
> steps into one) and host A replies with an ACK. This is perhaps the most
> common method.
> "
>
> https://secure.wikimedia.org/wikipedia/en/wiki/Transmission_Control_Protocol#Connection_termination
>
> I agree with Olaf and would only use the -p tcp --syn rule to filter new
> connection to the server on unwanted ports.

I am fond of the TARPIT target for slowing down naive scanners. it's a
bit of a pain to get integrated, but fun :)

"""
Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources.  Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds.  Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
"""

Follow-Ups:
- Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
  - From: Mike Perry

References:
- Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
  - From: tor_ml

Prev by Author: Re: How to Run High Capacity Tor Relays
Next by Author: Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
Previous by thread: Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
Next by thread: Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
Index(es):
- Author
- Thread