On 2013-10-27 16:35:43 (-0700), Gordon Morehouse wrote: > > And, after the boot, I've simulated an aggressive host from another > machine using hping, and here's the output of 'iptables -L' after > fail2ban banned the host (LAN IP partly redacted to settle my > paranoia): http://pastebin.com/1L62z23b That resulting ruleset will break circuits. Packets from flooding hosts won't have a chance to reach the '--state ESTABLISHED' rule since they are dropped before that, from within the fail2ban-tor-syn-flood chain. > > However, do you need fail2ban now that you are throttling SYNs > > without affecting circuits? > > Uncertain. I'd added it as an adjunct to the throttling, hoping a > temporary placement into the DROP chain would save cycles and memory > as REJECT ICMP packets would no longer be sent But you can drop packets in the SYN_THROTTLE chain instead of rejecting them, without fail2ban. Or you can accept them until a threshold is reached, then log/reject them up to a second threshold, then silently drop them. -- David Serrano GnuPG id: 280A01F9
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays