[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing



Hi David,

Couldn't I firewall the non-obfs port so only looback addresses may access it?

Cordially,
Nathaniel Suchy

On Tue, Aug 21, 2018 at 11:37 AM David Fifield <david@xxxxxxxxxxxxxxx> wrote:
On Mon, Aug 20, 2018 at 02:25:40PM -0400, Nathaniel Suchy wrote:
> Interesting. Is there any reason to not use an obfuscated bridge?

No, not really. obfs4 resists active probing without any special
additional steps. But I can think of one reason why the MSS trick is
worth trying, anyway. Due to a longstanding bug (really more of a design
issue that's hard to repair), you can't run an obfs4 bridge without also
running a vanilla (unobfuscated) bridge on a different port on the same
IP address. So if anyone ever connects to that vanilla port, the bridge
will get probed and the entire IP address blocked, including the obfs4
port.
https://bugs.torproject.org/7349
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays