On 8/8/23 07:21, Toralf Förster wrote:
Few days ago the throughput of my Tor relay went down to nearly zero for
about 3 minutes. It turned out that the reason (maybe) was a change here
in my iptables rules. Especially I switched these 2 lines:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
and run then few hours later into problems. And switched back ofc.
An explanation for the dropdown was given in [1]. Given that the
explanation is right:
I use these rules, with the RELATED,ESTABLISHED rule extended by the "-m
conntrack ! --ctstate INVALID" filter as recommended in [1] and before
the INVALID DROP rule. Works like a charm and with no changes to the
number of connections or traffic.
So the explanation, that INVALID packages are passing through the
RELATED,ESTABLISHED seems plausible. Sadly I can't answer your following
question.
How is the Tor application harmed if an attacker mangles packets so that
the state of them are INVALID for the conntrack module but they do pass
the RELATED,ESTABLISHED rule ?
[1] https://forums.gentoo.org/viewtopic-p-8798034.html
--
Toralf
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
