[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] max TCP interruption before Tor circuit teardown?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
From: Gordon Morehouse <gordon@xxxxxxxxxxxx>
Date: Sun, 27 Oct 2013 15:00:10 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 27 Oct 2013 18:01:01 -0400
In-reply-to: <20131027200920.GO3044@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <526407D9.40909@xxxxxxxxxxxx> <20131022185256.GK3044@xxxxxxxxxxxx> <526D699D.7030204@xxxxxxxxxxxx> <20131027200920.GO3044@xxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

David Serrano:
> On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote:
>> 
>> I've implemented these and I'd really love for anyone who's great
>> at
>>  iptables to sanity-check my rules[1] because I am an iptables
>> relative
>>  noob.
>> 
> 
>> 5: # TODO: don't know if fail2ban will override this if a host
>> with established
>>  6: # connections gets temp banned. We don't want it to. Need to
>> find out.
>> 
> 
> It depends on the spot fail2ban inserts the new firewall rules. If
> it's before
>  the '--state ESTABLISHED' rule, then the ban will be enforced.
> Otherwise, the
>  kernel will let the packets through when they reach that rule.


Here's my 'iptables -L' output, on pastebin because it's a mess when
formatted for email:  http://pastebin.com/f1VZNeTF

That's not a fresh boot, though, I did:

'iptables -F'
'service fail2ban reload'

and then ran the iptables commands by hand, in order.


>> 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m
>> state --state NEW -j SYN_THROTTLE
>>  [...]
>>  17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG
>>  18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j
>> REJECT
>> 
> 
> You don't need '-m state --state NEW' in lines 17 and 18 because
> all packets in that chain are already known to be new.

Ah, right - thanks! That might save a few cycles, assuming iptables
wouldn't optimize it out.  Important for the Raspberry Pi!

> I recommend to use always --log-prefix for easy future grepping.

Another good idea, thanks again.  I've committed these changes to the
repo.

Best,
- -Gordon M.


-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSbYznAAoJED/jpRoe7/ujaicH/AzF3WcvrTIGKopEB/XLyStc
IWEyhh7HD773RrbgpoZ9G2BCQUT5hyoMy8ezKxm9xEfbkZn5aDyA9Kv+kNGuHPYZ
uWXbjCGfW7FPaj/Adje2rpAMl9azt9hiyPvY38dXvXnVrnHIK1rvCM4AuNqEwkLp
Z94/BGKlY6b9ttKYU10NDGVb0hllIyZRXveTjpDaocMeokGEuhHAenAPeWcY04yf
hgZdD5Mqm+3lofOEtJ38UaPu2LUS75bO2DpVRK7H0dByhMlyRM6gDb1SmfT57hy6
OR/qGvrl6gjDVEapmwTJTFVu1oGCCkntPbZpy8qTL1hlAFX3nnHMnKw1Am/PqtY=
=5+Kw
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: David Serrano

References:
- [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Gordon Morehouse
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: David Serrano
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Gordon Morehouse
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: David Serrano

Prev by Author: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Next by Author: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Previous by thread: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Next by thread: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Index(es):
- Author
- Thread