On Sonntag, 14. Juli 2024 15:54:45 CEST Toralf Förster via tor-relays wrote:
On 7/12/24 00:14, boldsuck wrote:
The idea is not bad. But can you simply discard every ≤ 50byte packet?
Probably not
I drop fragments and uncommon TCP MSS values. ip frag-off & 0x1fff != 0 counter drop
IIUC then using conntrack via iptables means that this filter cannot be implemented, right?
I have the above rule in 'chain ingress' and later in 'chain prerouting' & 'chain input' I have ct rules. Bo and I https://gitlab.torproject.org/tpo/community/support/-/issues/40093 used this nftables skeleton from the blog below for our rules.
tcp flags syn tcp option maxseg size 1-536 counter drop
Is 536 == 514 + 22 (Tor packet size + ip header) ? It is my understanding that Tor send out TCP/IP small packets beside the 514 bytes sized.
So my nftables skeleton came from the discussion on this blog: https://samuel.forestier.app/blog/security/nftables-hardening-rules-and-good...
Quote about MSS is there: "According to https://en.wikipedia.org/wiki/Maximum_segment_size the default TCP Maximum Segment Size is 536 octets (bytes)."