[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Best Hardware for TOR server..

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Best Hardware for TOR server..
From: Eugen Leitl <eugen@xxxxxxxxx>
Date: Fri, 14 Dec 2007 17:20:17 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 14 Dec 2007 11:20:25 -0500
In-reply-to: <200712141534.lBEFYaWM009434@xxxxxxxxxxxxx>
References: <200712141534.lBEFYaWM009434@xxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Fri, Dec 14, 2007 at 09:34:36AM -0600, Scott Bennett wrote:

>      Thank you.  You just brought forward the thing that has been eluding
> my recollection since this thread started.  Linksys routers do not have
> enough memory for the NAT table to run a tor exit server, and they do not

Are you sure OpenWRT on a Linksys can't handle the states with 32 MBytes RAM,
and a 0.2..0.5 MBit/s upstream?

I've just looked at the state table (256 kBit/s allocated to Tor middleman via Vidalia) in 
my pfSense 1.2 RC3, and it has about 360 entries (pfSense uses about 1 k RAM/state). 
It should be possible to handle some 5 k states with 32 MBytes of RAM,
assuming iptables (or whatever 2.4 uses) scale similiarly.

IIRC just the other day someone mentioned a Tor package for Pfsense -- was
that on this list?

> handle a table overflow condition gracefully.  What happens when a SYN goes
> out at a time when the table is full is that the connection never happens,
> which is reasonable enough, but when table entries have later been freed,
> outbound connections continue to fail.  This remains the situation until
> the router has been rebooted.

The states never expire? I'm running my router with most conservative
settings. 

>      In my experience, a Linksys router on a Comcast connection may run for
> days before the above described situation occurs, but OTOH, it may only run
> for an hour or two before it happens.  It is conceivable that the same might
> occur for a middleman-only server, but far less likely because connections
> to the outside will normally be far fewer, given that many circuits, each
> with perhaps multiple streams, may be funneled through a single TCP connection
> with its corresponding NAT table entry.  In the case of an exit server, every
> stream that exits needs its own NAT table entry.
>      FWIW, a *BSD or LINUX system running as a router with natd(8) on it

Linksys uses Linux (Vxworks for its more braindead types of routers which
I know nothing about), but the default firmware is pretty pathetic.

Once again I very much recommend using pfSense (or m0n0wall) for your
home router on embedded hardware (the sky is the limit on nonembedded,
I'm running it on a SunFire X2100 M2 at work).

> will have no such problem because it doesn't suffer from the memory
> limitation.  The same might also be true for Windows, but I shudder at the
> thought of trusting Windows as a router/firewall, and I don't know what is
> available as a NAT server in Windows.

-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

Follow-Ups:
- Re: Best Hardware for TOR server..
  - From: Michael Holstein

References:
- Re: Best Hardware for TOR server..
  - From: Scott Bennett

Prev by Author: Re: Best Hardware for TOR server..
Next by Author: Re: Provider 1blu closed exit node torpaulianer
Previous by thread: Re: Best Hardware for TOR server..
Next by thread: Re: Best Hardware for TOR server..
Index(es):
- Author
- Thread