Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-21 Thread Toralf Förster
On 01/11/2018 02:10 AM, teor wrote: > So if you're going to do this, please set a much higher limit than 2. > I would suggest at least 4, but 10 or more is better. > > You might be able to set it higher if you put a limit on repeated > connection attempts. The simple approach (allowing 8 syn

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-14 Thread teor
> On 10 Jan 2018, at 16:39, teor wrote: > > Hi, > > Still having load trouble on your relay? > Try dropping rapid connection attempts. > >> On 9 Jan 2018, at 16:32, teor wrote: >> >> I've tried various ways of limiting Tor's RAM and CPU. >>

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-11 Thread teor
> On 12 Jan 2018, at 08:46, Toralf Förster wrote: > >> On 01/11/2018 02:10 AM, teor wrote: >> As far as I can tell, this single rule has the same effect: > Even if " -P INPUT DROP" is et ? I think that applying the single rule to the default config, has the same

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-11 Thread Toralf Förster
On 01/11/2018 02:10 AM, teor wrote: > As far as I can tell, this single rule has the same effect: Even if " -P INPUT DROP" is et ? -- Toralf PGP C4EACDDE 0076E94E signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-11 Thread Toralf Förster
On 01/11/2018 02:10 AM, teor wrote: > We allow 2 relays per IPv4 address, and each relay makes 1-2 connections > to each other relay. (Or more, if the connections start failing. This is > a bug we want to fix.) > > So if you're going to do this, please set a much higher limit than 2. > I would

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-10 Thread teor
> On 11 Jan 2018, at 08:10, Toralf Förster wrote: > > On 01/10/2018 06:39 AM, teor wrote: >> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent >> --set >> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent >> --update

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-10 Thread Toralf Förster
On 01/10/2018 06:39 AM, teor wrote: > iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent > --set > iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 100 -j DROP What's about the following approach;

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-09 Thread teor
Hi, Still having load trouble on your relay? Try dropping rapid connection attempts. > On 9 Jan 2018, at 16:32, teor wrote: > > I've tried various ways of limiting Tor's RAM and CPU. > MaxAdvertisedBandwidth was effective, as was limiting Tor's file > descriptors and

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-08 Thread teor
> On 6 Jan 2018, at 06:05, Zack Weinberg wrote: > >> On Fri, Jan 5, 2018 at 1:44 PM, tor wrote: >> For relay operators using iptables connlimit to mitigate DoS attacks (or >> increased load from new clients), is it better for the Tor network to use >>

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

2018-01-05 Thread Zack Weinberg
On Fri, Jan 5, 2018 at 1:44 PM, tor wrote: > For relay operators using iptables connlimit to mitigate DoS attacks (or > increased load from new clients), is it better for the Tor network to use > "DROP" rules, or should we use something like "REJECT --reject-with >