[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
- To: tor-relays@xxxxxxxxxxxxxx
- Subject: Re: How to Run High Capacity Tor Relays (stateless iptables filtering)
- From: coderman <coderman@xxxxxxxxx>
- Date: Mon, 30 Aug 2010 13:11:50 -0700
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: tor-relays-outgoing@xxxxxxxx
- Delivered-to: tor-relays@xxxxxxxxxxxxxx
- Delivery-date: Mon, 30 Aug 2010 16:12:22 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=CG1qK4SW8sxzu2Bo2PqkFwHISFUBVuwbMY0oKVlKeDQ=; b=XcJ1+7MMFWqyMcMFPEFW4CZ702nzFTuiWL+7vi0Sa0ObApY0HpTgcwpaX8Q7Fo6oVS uUUwc4L/iTjShTY8BQNG5VmF/QjhHChlII0xingMYCK8Hy30kJhkkIWdKpQWnnu1NcwK hE7R/qsDTQlH/zMDn5it7KwS4lupVbHIYqPEc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Q9yX1pQdVCteAS7G6mAwddT+d6ac0u3n/z7xHcXFGyeXDER6T2nari49BBrMHu4Cgl MdojdYRrGoJRst08ZO+iz6rZe2rRwPABzbUqcwu2/0JTT5k5yNHCHHDft3US0A08WdwF QWl0eShmgEYmTOiYmBwA+eM3I76+kNGPF9wjI=
- In-reply-to: <4C7792E7.3070605@xxxxxxxxx>
- References: <4C7792E7.3070605@xxxxxxxxx>
- Reply-to: tor-relays@xxxxxxxxxxxxxx
- Sender: owner-tor-relays@xxxxxxxxxxxxxx
On Fri, Aug 27, 2010 at 3:26 AM, tor_ml <tor_ml@xxxxxxxxx> wrote:
>...
> but in general there is also another way (or many other ways) to close a
> connection:
> "
> It is also possible to terminate the connection by a 3-way handshake, when
> host A sends a FIN and host B replies with a FIN & ACK (merely combines 2
> steps into one) and host A replies with an ACK. This is perhaps the most
> common method.
> "
>
> https://secure.wikimedia.org/wikipedia/en/wiki/Transmission_Control_Protocol#Connection_termination
>
> I agree with Olaf and would only use the -p tcp --syn rule to filter new
> connection to the server on unwanted ports.
I am fond of the TARPIT target for slowing down naive scanners. it's a
bit of a pain to get integrated, but fun :)
"""
Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
"""