[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Best Hardware for TOR server..
On Fri, 14 Dec 2007 10:09:28 -0500 Michael Holstein
<michael.holstein@xxxxxxxxxxx> wrote:
>> P4 processor @ 3GHZ, Intel MB, 2GB DDR2 RAM, 80 GB SATA HD
>
>This will be fine (more than fine, actually) .. I had no issues running
>a ~10mbit (symmetric) node on an old P3/1ghz with 1gb RAM (it was FreeBSD).
>
>> all behind a Linksys Firewall Router.
>
>This will be a problem. Cheap-o routers don't have enough memory to
>manage huge state tables. You'd be better off getting a second NIC card
>for the PC and just using the server to firewall/NAT your LAN, in
>addition to running TOR. If that scares you, just re-use an old PC and
>run Smoothwall on it (or any of the other many "appliance" distros that
>do this).
>
Thank you. You just brought forward the thing that has been eluding
my recollection since this thread started. Linksys routers do not have
enough memory for the NAT table to run a tor exit server, and they do not
handle a table overflow condition gracefully. What happens when a SYN goes
out at a time when the table is full is that the connection never happens,
which is reasonable enough, but when table entries have later been freed,
outbound connections continue to fail. This remains the situation until
the router has been rebooted.
In my experience, a Linksys router on a Comcast connection may run for
days before the above described situation occurs, but OTOH, it may only run
for an hour or two before it happens. It is conceivable that the same might
occur for a middleman-only server, but far less likely because connections
to the outside will normally be far fewer, given that many circuits, each
with perhaps multiple streams, may be funneled through a single TCP connection
with its corresponding NAT table entry. In the case of an exit server, every
stream that exits needs its own NAT table entry.
FWIW, a *BSD or LINUX system running as a router with natd(8) on it
will have no such problem because it doesn't suffer from the memory
limitation. The same might also be true for Windows, but I shudder at the
thought of trusting Windows as a router/firewall, and I don't know what is
available as a NAT server in Windows.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************