On Sonntag, 14. Juli 2024 15:54:45 CEST Toralf Förster via tor-relays wrote: > On 7/12/24 00:14, boldsuck wrote: > > The idea is not bad. But can you simply discard every ≤ 50byte packet? > > Probably not > > > I drop fragments and uncommon TCP MSS values. > > ip frag-off & 0x1fff != 0 counter drop > > IIUC then using conntrack via iptables means that this filter cannot be > implemented, right? I have the above rule in 'chain ingress' and later in 'chain prerouting' & 'chain input' I have ct rules. Bo and I https://gitlab.torproject.org/tpo/community/support/-/issues/40093 used this nftables skeleton from the blog below for our rules. > > tcp flags syn tcp option maxseg size 1-536 counter drop > > Is 536 == 514 + 22 (Tor packet size + ip header) ? It is my > understanding that Tor send out TCP/IP small packets beside the 514 > bytes sized. So my nftables skeleton came from the discussion on this blog: https://samuel.forestier.app/blog/security/nftables-hardening-rules-and-good-practices Quote about MSS is there: "According to https://en.wikipedia.org/wiki/Maximum_segment_size the default TCP Maximum Segment Size is 536 octets (bytes)." -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays