Add rate-limit for outgoing connections

[bmwiedemann]

Version information:

ipfs version 0.4.19

Type:

One of

• "feature": If you'd like to suggest a feature.
• "enhancement ": If you'd like to suggest an improvement on to existing feature.

Description:

This is distinct from #2489 and #3320

ipfs is opening outgoing connections at such a rate that it repeatedly triggered the network scan detector of my hoster.
The cheap workaround for now uses iptables -m limit --limit 12/min -p tcp --sport 4001 --syn ...
It would be much nicer if the ipfs daemon could be configured to limit itself.

[magik6k]

Related - libp2p/go-libp2p#1550

[Linutux]

The cheap workaround for now uses iptables -m limit --limit 12/min -p tcp --sport 4001 --syn ...

Could you write the whole command please?

Anything happened here since 2019?

[bmwiedemann]

Here is the full workaround. I didnt initially paste it in full, because it is rather lengthy:

c=ipfs
iptables -N $c 2>/dev/null
iptables -F $c
# limit outgoing connection attempts to not be counted as port-scanning by server-hoster
#iptables -A $c -d 10.0.0.0/8 -j ACCEPT
#iptables -A $c -d 192.168.0.0/16 -j ACCEPT
iptables -A $c -d $OWNIP -j ACCEPT
iptables -A $c -d 127.0.0.1 -j ACCEPT
iptables -A $c --match limit --limit 12/min --limit-burst 1 -j ACCEPT
iptables -A $c -j DROP

c=OUTPUT
iptables -F $c
iptables -A $c -p tcp --syn --match owner --uid-owner $UID --sport 4001 -j ipfs

You need to adjust or drop the --uid-owner $UID part to match the user you run your ipfs daemon.

[ShadowJonathan]

I would rather like to have this feature, as my hosting provider is flagging my host as netscanning, because ipfs is establishing connections too quickly.