> echo 1 > /proc/sys/net/ipv4/tcp_rfc1337 not the right option; this is different, and to avoid an issue with time wait.
the feature i'm thinking of is time-wait negotiation, which can be tweaked to always put this state on the peer (or fail if not available). last time i messed with this is was kernel build tweaks; probably too much for most tastes ;) regarding the match rules, why are you whitelisting a firefox instances? a robust setup is everything transparently routed, except for Tor PID, and only this PID. kernel originated traffic and all other application originated traffic is thus routed properly without bypass, assuming Tor itself is not vulnerable. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
