How to Run High Capacity Tor Relays (stateless iptables filtering)
Mike Perry
mikeperry at fscked.org
Mon Aug 30 23:30:16 UTC 2010
Thus spake coderman (coderman at gmail.com):
> On Fri, Aug 27, 2010 at 3:26 AM, tor_ml <tor_ml at ymail.com> wrote:
> > I agree with Olaf and would only use the -p tcp --syn rule to filter new
> > connection to the server on unwanted ports.
>
> I am fond of the TARPIT target for slowing down naive scanners. it's a
> bit of a pain to get integrated, but fun :)
>
> """
> Adds a TARPIT target to iptables, which captures and holds incoming TCP
> connections using no local per-connection resources. Connections are
> accepted, but immediately switched to the persist state (0 byte window), in
> which the remote side stops sending data and asks to continue every 60-240
> seconds. Attempts to close the connection are ignored, forcing the remote
> side to time out the connection in 12-24 minutes.
> """
It wasn't clear to me that tarpitting can be set up without a
RELATED,ESTABLISHED rule before it.. Also, this is not integrated into
the kernel or iptables yet either, right?
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20100830/00b70f54/attachment.pgp>
More information about the tor-relays
mailing list