How to Run High Capacity Tor Relays (stateless iptables filtering)

coderman coderman at gmail.com
Tue Aug 31 00:04:25 UTC 2010


On Mon, Aug 30, 2010 at 4:30 PM, Mike Perry <mikeperry at fscked.org> wrote:
> ...
> It wasn't clear to me that tarpitting can be set up without a
> RELATED,ESTABLISHED rule before it.. Also, this is not integrated into
> the kernel or iptables yet either, right?

The tarpit rule doesn't use any connection tracking; whether you have
RELATED,ESTABLISHED matches before (less ideal) or after (better, less
to track) the functionality is the same.

As mentioned in the docs, you want to TARPIT first if possible so you
avoid any connection tracking penalty on the TARPIT'ed sessions; they
can last a loooong time :)

for TARPIT target support, you can grab older patch-o-matic variants,
or direct patches:
  http://enterprise.bih.harvard.edu/pub/tarpit-updates/

there might be other sources, and your distro of choice may even
include support for it in an extended repo somewhere...



More information about the tor-relays mailing list