[tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing

Nathaniel Suchy me at lunorian.is
Tue Aug 21 16:16:10 UTC 2018


Hi David,

Couldn't I firewall the non-obfs port so only looback addresses may access
it?

Cordially,
Nathaniel Suchy

On Tue, Aug 21, 2018 at 11:37 AM David Fifield <david at bamsoftware.com>
wrote:

> On Mon, Aug 20, 2018 at 02:25:40PM -0400, Nathaniel Suchy wrote:
> > Interesting. Is there any reason to not use an obfuscated bridge?
>
> No, not really. obfs4 resists active probing without any special
> additional steps. But I can think of one reason why the MSS trick is
> worth trying, anyway. Due to a longstanding bug (really more of a design
> issue that's hard to repair), you can't run an obfs4 bridge without also
> running a vanilla (unobfuscated) bridge on a different port on the same
> IP address. So if anyone ever connects to that vanilla port, the bridge
> will get probed and the entire IP address blocked, including the obfs4
> port.
> https://bugs.torproject.org/7349
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180821/6ef20591/attachment.html>


More information about the tor-relays mailing list