On 8/8/23 07:21, Toralf Förster wrote:
Few days ago the throughput of my Tor relay went down to nearly zero for about 3 minutes. It turned out that the reason (maybe) was a change here in my iptables rules. Especially I switched these 2 lines:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
and run then few hours later into problems. And switched back ofc. An explanation for the dropdown was given in [1]. Given that the explanation is right:
I use these rules, with the RELATED,ESTABLISHED rule extended by the "-m conntrack ! --ctstate INVALID" filter as recommended in [1] and before the INVALID DROP rule. Works like a charm and with no changes to the number of connections or traffic. So the explanation, that INVALID packages are passing through the RELATED,ESTABLISHED seems plausible. Sadly I can't answer your following question.
How is the Tor application harmed if an attacker mangles packets so that the state of them are INVALID for the conntrack module but they do pass the RELATED,ESTABLISHED rule ?
[1] https://forums.gentoo.org/viewtopic-p-8798034.html
Toralf _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays