Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort

On Tue, Aug 15, 2017 at 2:08 PM, Toralf Förster toralf.foerster@gmx.de wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I do have the following iptables rule here :

# Tor # dirport=80 orport=443

$IPT -A INPUT -p tcp --destination-port $dirport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP $IPT -A INPUT -p tcp --destination-port $orport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP

which seems to work fine. An

    $> ip6tables -nvL

gives

14110 746K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW #conn src/32 > 1 230K 14M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW #conn src/32 > 1

after few days so I do just like to ask here if the rules above are fine or if I overllooked something ?

---

Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE-----

iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0 YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E= =UPak -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hey

I am just curious: why is it needed to block >1 connections per ip address onto Tor DirPort?