[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Best Hardware for TOR server..
On Fri, 14 Dec 2007 17:20:17 +0100 Eugen Leitl <eugen@xxxxxxxxx>
wrote:
>On Fri, Dec 14, 2007 at 09:34:36AM -0600, Scott Bennett wrote:
>
>> Thank you. You just brought forward the thing that has been eluding
>> my recollection since this thread started. Linksys routers do not have
>> enough memory for the NAT table to run a tor exit server, and they do not
>
>Are you sure OpenWRT on a Linksys can't handle the states with 32 MBytes RAM,
>and a 0.2..0.5 MBit/s upstream?
I have no idea. I have no experience whatsoever with installing other
firmware into an electronics store-bought router. The behavior I described
was for a stock Linksys router.
>
>I've just looked at the state table (256 kBit/s allocated to Tor middleman via Vidalia) in
>my pfSense 1.2 RC3, and it has about 360 entries (pfSense uses about 1 k RAM/state).
>It should be possible to handle some 5 k states with 32 MBytes of RAM,
>assuming iptables (or whatever 2.4 uses) scale similiarly.
>
>IIRC just the other day someone mentioned a Tor package for Pfsense -- was
>that on this list?
>
>> handle a table overflow condition gracefully. What happens when a SYN goes
>> out at a time when the table is full is that the connection never happens,
>> which is reasonable enough, but when table entries have later been freed,
>> outbound connections continue to fail. This remains the situation until
>> the router has been rebooted.
>
>The states never expire? I'm running my router with most conservative
>settings.
Actually, I don't know. My guess is that the allocation routine is
crap, so that once it has failed, it will always fail. But you're right, it
is possible that an overflowed table never has entries deleted again, which
would also cause allocation failures from then on.
>
>> In my experience, a Linksys router on a Comcast connection may run for
>> days before the above described situation occurs, but OTOH, it may only run
>> for an hour or two before it happens. It is conceivable that the same might
>> occur for a middleman-only server, but far less likely because connections
>> to the outside will normally be far fewer, given that many circuits, each
>> with perhaps multiple streams, may be funneled through a single TCP connection
>> with its corresponding NAT table entry. In the case of an exit server, every
>> stream that exits needs its own NAT table entry.
>> FWIW, a *BSD or LINUX system running as a router with natd(8) on it
>
>Linksys uses Linux (Vxworks for its more braindead types of routers which
>I know nothing about), but the default firmware is pretty pathetic.
I was not referring to an embedded system, but rather to an operating
system on a full computer system with virtual memory.
>
>Once again I very much recommend using pfSense (or m0n0wall) for your
>home router on embedded hardware (the sky is the limit on nonembedded,
>I'm running it on a SunFire X2100 M2 at work).
>
>> will have no such problem because it doesn't suffer from the memory
>> limitation. The same might also be true for Windows, but I shudder at the
>> thought of trusting Windows as a router/firewall, and I don't know what is
>> available as a NAT server in Windows.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************