14 Jul
2024
14 Jul
'24
1:54 p.m.
On 7/12/24 00:14, boldsuck wrote:
The idea is not bad. But can you simply discard every ≤ 50byte packet?
Probably not
I drop fragments and uncommon TCP MSS values. ip frag-off & 0x1fff != 0 counter drop
IIUC then using conntrack via iptables means that this filter cannot be implemented, right?
tcp flags syn tcp option maxseg size 1-536 counter drop
Is 536 == 514 + 22 (Tor packet size + ip header) ? It is my understanding that Tor send out TCP/IP small packets beside the 514 bytes sized.
-- Toralf