Tor is not yet fully bootstrapped. 30 % done

1choice · May 25, 2023, 6:27pm

I’ve fixed the pull request to just add a new option:

github.com/Whonix/whonix-firewall

Fix MTU problem by allowing RELATED fragmentation-needed ICMP

Whonix:master ← 1cho1ce:allow-icmp-frag-needed

opened 06:21PM - 25 May 23 UTC

1cho1ce

+40 -1

Add `GATEWAY_ALLOW_INCOMING_ICMP_FRAG_NEEDED` option to allow RELATED fragmentat…ion-needed ICMP. This fixes the problem with unstable or broken network connection over the link that has less than 1500 MTU assumed by Whonix-Gateway. For example in case of ISP using PPTP or user using Whonix-Gateway over VPN. More info: https://serverfault.com/a/376757 https://github.com/Whonix/whonix-firewall/commit/f604259dd55e5dde4765ac7e2ad095d95258caa0 http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/have-firewall-accept-icmp-fragmentation-needed/10233 http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/tor-is-not-yet-fully-bootstrapped-30-done/8792

Patrick · June 6, 2023, 2:19pm

1choice via Whonix Forum:

Patrick:

Please do not abolish the GATEWAY_ALLOW_INCOMING_ICMP feature.

I’ve fixed the pull request to just add a new option:
https://github.com/Whonix/whonix-firewall/pull/5

This is now in the testers repository.

Patrick · August 29, 2023, 12:21pm

This is in the stable repository for a while now.

Patrick · August 29, 2023, 12:30pm

HulaHoop · September 1, 2023, 8:27pm

ICMP Related info:

https://www.hindawi.com/journals/scn/2022/2223050/

Volumetric attacks are classic DoS attack where the goal is to deny service by typically creating congestion and saturation of bandwidth at the target (e.g., server) and the target network. This makes it impossible for legitimate users of the service to communicate with the server under attack. Typical examples of volume-based attacks are UDP flood, ICMP flood (a.k.a. ping flood), and amplification attacks (a.k.a. reflection attacks). In UDP flood, a large volume of UDP packets bombards a server that makes the server check for processes that are listening to the ports and respond to each UDP packet. This leads to denial of service for the regular clients. UDP flood as a matter of fact is behind the very first documented DDoS, the attack on University of Minnesota in July, 1999 [43–45]. Ping flood (ICMP flood) is another type of volume-based attack where the objective is to consume the victim server’s bandwidth usually by sending ICMP echo requests as fast as possible. Due to the way ICMP works (for each request, there is a reply) [46], ping flood ends up consuming the attacker’s bandwidth as well. However, there are ways to work around this feature.

Another example of protocol attacks is IP fragmentation attack which exploits the network maximum transmission unit (MTU) [56]. IP fragmentation process mandates that any transmitted IP packets larger than the network MTU (e.g., 1500 bytes for Ethernet [57]) will be broken into IP fragments which will later be reassembled at the final destination [58]. The attacker exploits this mechanism by preventing the packets to reassemble at destination (e.g., by only sending a part of the packet), resulting in service unavailability. Other protocol attacks include ping of death and Smurf that exploit ICMP [59]. However, they are largely considered solved for contemporary hardware/software systems [59].

nurmagoz · September 8, 2023, 4:02pm

Not sure how is this the best option for all users by default, if someone or some group in a country using old shitty network technics they have the option to turn “on” the choice themselves but to turn it on for all users that doesnt make sense.

This is what i call backward changes.