[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] 300mbps FreeBSD Tor relay on HPE MicroServer Gen10 (AMD X3421)
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-relays] 300mbps FreeBSD Tor relay on HPE MicroServer Gen10 (AMD X3421)
- From: George <george@xxxxxxxxxx>
- Date: Sun, 30 Dec 2018 18:12:00 +0000
- Autocrypt: addr=george@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFnk+YcBEAC8eaom0XY5RWEUtcPYEvpNEnJVhThasrN9+jNjz1Oj8Dm/esj+yoY0WSzv MpIPKTcow68Am3yrtnnFCSfnJeaBxM+EHQF/cYDsi2+9g976kaWVZro+SuSkUGHHU6mEZ+B3 FqOGLLqIG2GdoLYhYKSj+fNcfWdOzC8d2HUxNiZ6ElsclebcQKTOeOlHxVQu8lIanTsbcnAE jjlWKRh70jViECxc0h92x++eCWSOGypiFLZhjOopt+2nEjCLov4+kGRCF4XK3wdooOhnlSq9 d6i3CudzZD/VoA0+56q7gbbtwBKHTeOzuqZQPqcaXJqXIfy5MpOhphv4TC7O0hguC+qEMd+X hTcNe6I0Ran9JqOLYVha3hrAXgmZzqDmAHj5ZjYEt3UqEpWqPvs7xEnpp/6B7kAwl0PWDqRb G2n1JYRdydxkjfUCJdjjWJiUM+AVvi9sjZ216kUIJeEE1rN3B0q/rjANCiICU6G0ZB5/F2Rh +iZ4Xh0f2UazLgBgHRncGGv/YpmxVKfnzoDEU3FIHVBM9o3P1K53FLJySapZXYP03VhzNkTx /IDviDY7KoVbUAM++stV9N6fCcUIUo0BcWakv7zEuCh7BoBI8NhQlPI4COsBEvm2OHeKpHHA 0/VMTD7HujVcWv93BdzjFt5b4qNthU1tS4zHDHVSfp63MVGqJQARAQABzRpHZW9yZ2UgPGdl b3JnZUBxdWVhaXIubmV0PsLBfgQTAQIAKAUCWeT5hwIbAwUJA8JnAAYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQXZIf0ez2FoINZRAAjdcdp1bzEIhh4wF56KkuzCLdSKH8G+PqOiA/ PJujnhTpJBRlfZviPHIAh85EMLpTb7RjkTLdhb9WX0u9Gz26SnqN6CpUFWTlQAB+akjy43Mu IwUqmNcK9OU2r76ozA9jIvPNe7S+ikB5jiJDEjkBPGsdLbbADUS7I5hRn/k92qy1ym65JK8G hK7TBpXBF7fhwl39x6WIQJVemun2ZDpc2ydcFN5UYiw+6eCYHwbcB03czv02NhdPdS6ZSQfN 2RsdmT1LGzD9YN133h9dJUW4cOrA9Gd38E4QSibgrzscwGJCidoL+EJeIMooZgBEdheDrtzE rvA+5+x+163qfJLAtjJgUugZxO6Q9KbRFWklVpEGomGlvuBUAfo9TvjmHSDO/ufJiLOBHHXe +NVPjP8ByUNXr/QPm6byvg+3HThg5VPReWMVjR/ifVHFcLSc+G5qjWzW6oKSecyLnyvu1BKd HJBpU1oy6vAHgIEZjbOgI4mz7KuAS0vONVZBODR6Ypvh8qyu2WoS383YJrIjARLnnIV0wGdN dVbc6q/BtPAjzf4EnrJFQYNBxw7Ol+oWaAsHq7LB/Hz3+kZnnAE45j3oXy27lUbm+60tUPXe Yts2F/J36ZTZzDIl2TjHQPswIgowY92YE5thOteikuyDudz3rjbDe2wKoE2Da02D14B37BLO wU0EWeT5hwEQAMpMD9k2RKE8r8Hy0AR9QXvpVbvXXKRzFTgUwtRdeyH1hCDq83Gr2RdhZGzD fp1oAkTh4V6xC8YFv9NTEaRstedL5zuUqLlgYtymXmm1faL9ud248Y+lDDZgrEHqscfT1r7O sTDp2zwjxOXooVJEucsTyac0UvJf8+5LKFNwX+beUUVEtUgM4DbCXRu/s1L1utYkdHtWPzBZ zhxb0/vwTWivkxu5pyMtzQYx6Ue07gXtGJeIUhcNime79r7WsF66UBo26IEnf0MbaxTyF5H4 DUKxQtrnpFJRrPGB9s2FBVn/qtiHoKU/6kH+RF//Ie8IG+XUwJKsIsFRvyMDGVIR0FQ8HPCl HqgAgneqrG7Mb9kpjuBMT0Eet3FYpFlUbPOBQXcYg921I/lRT9UpABTuXFP7EtgHtCeZ+tHT O3xgqTqDFLvisPKYmB83PDFjj/XEqE4sldUeC+cDXOL6w2Xk6+JLaT52+NLgqQJroyL2Yydv 6TtOo+Yv3JuK4zHUEtRQUxNaBdD1zQElK8Ks3WqrgLgIHnyBUx71ZWI6dyjqX9Y66VE/GRdV AORt7DCnk2OtdwfLVFWBKhq+jrtRyV3Sbo5LcRoRmSUAr92LfnBjkSMhYlrY9iXAAsdd6rip MQ+Vd28u4tCxCFzo3oz2yhYGt/o1rSrHpv4OkkMoi3UHAAFXABEBAAHCwWUEGAECAA8FAlnk +YcCGwwFCQPCZwAACgkQXZIf0ez2FoKLaxAAoRD2ZUZvCtwGvxNOWEKAXd0OheyLZ+6wgDPx MEG1MdL4yQnlbKl6V9mWOghh8XlrDsKTAqhfhiVG5vN00PgpSj5Twf69vEyoDCDkuoGG72na 4dPokIM0VXbVIbHjkoxaLWeV8HZwU+byTzR9uT68rZ6TDI8K0FIHZzW6mDQBiDhryhN5rR2c z3vL9oBlc69+ZhXQkC0ZaeWDeDa5o632DvuO7zfirlOTqf7kL/x/0l7etK304iSUVZuYRHyl L6qit6YydDD/IWJpkM/3o+PQk/v3ZZZw/e7L2ofJdqOZFKcHXb75sOehbgp/Rc/Sv5vQtNvW 6MBGe1nCEt7pF4CAWlCt/fwOkglsBkXhGwqUPYUWIISePp8EZLyiA8zrAViNMNHsRkHHuV1U 866DNd08pUyK2uGjARWSlRazULGud8cB3/3AH4X/nZJrBr33wrvkDuLifVXoTAios6HWINXr caw/b6sjzG0FeGLGbbJ78wNeaX9OhEc2CFT0+EQpOgB4BYOTdEHkmucOS+2TLGKohJtHqkNz qC6+1/uEzwOdwVFONwDzx9SOuxRX6eQ1UoYUo4PCsh3ZSnsATSPcRzg8BbWaiKkGKAWdBRlY pRf4GpRY30Ren+zNHIgNet+6ghhtkV3kKXnbe2rlBQ+rkNp/5LSDcPwJtfz74zi9B4uU7GE=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Sun, 30 Dec 2018 13:13:02 -0500
- In-reply-to: <5C2792CC.9020901@quantentunnel.de>
- List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
- List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
- List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
- List-post: <mailto:tor-relays@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <fe12d7298f7283b5f63919c7742959cf@neelc.org> <5C2792CC.9020901@quantentunnel.de>
- Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
Felix:
> Hi Neel
>
>
>> My relay runs FreeBSD 11.2 and Tor runs in a "jail".
>
> Jails are perfect for that! I observed the host Freebsd tcp stack is
> strong enough for more than 500Mbit/s in AND out.
Yes, jails are a perfect fit in many ways.
I haven't been a jail user since FreeBSD 7.x or 8.x, but one thing I'd
like to do at some point is sort out a bare minimum jail for a Tor node.
Not that usual full-base system jail, but something that would look
like a chroot from the birds-eye view.
I think it should be very doable with EZjail, but I always prefer base
tools with shell scripts.
I should mention that I'm not a fan of virtualization solutions for many
use-cases, but FreeBSD jails aren't about bloat and just adding more
lines of code with more bugs. They are a tight solution that can really
mitigate compromises when used properly.
For those interested, go look up there original usage by phk@ as a web
site hosting solution. It was an instance where some Danish www hosting
company kept getting their site hacked, so he had a cron job which
diff'd the contents of the www-serving jail, and overwrote it if there
was change, or something like that.
I can't find the actual link but this helps:
http://phk.freebsd.dk/sagas/jails.html
>
>
>> I am using AESNI and Tor is configured to use OpenSSL cryptodev.
>
> Does crypto run? On log info you should find the following entry during
> start:
>
> [info] crypto_openssl_init_engines: Initializing dynamic OpenSSL engine
> "dynamic" acceleration support.
> [info] crypto_openssl_init_engines: Loaded dynamic OpenSSL engine
> "dynamic".
>
> After finding this message you can switch to notice and restart.
>
>> * I want to keep using FreeBSD on my server and do not want to run
>> Linux
>
> +1
>
Addressing the general audience here...
I'm a long-time BSD person and have fought long and hard for OS
diversity in Tor, but everyone should stick to OSs they are most
comfortable with.
The only thing I fear more than OS monocultures is anyone running OSs
they can't admin systems which are public-facing and providing a vital
service.
A misconfigured BSD relay doesn't help anyone.
>
>> * I would prefer to have a single instance, but can use multiple if
>> I have to
>
> It's BSD, so may-be consider to go for libressl from ports (which does
> not support the crypto engine). And then use 2 instances per ip. Better
> for diversity ;)
>
Yes, !OpenSSL should be considered, and LibreSSL is a good start.
I know LibreSSL doesn't support crypto engine, but not sure of the
consequences outside of the basics with it.
>
>> * My server supports hardware accelerated AES and SHA. I am using
>> this on FreeBSD with the aesni kernel module and Tor with
>> "HardwareAccel 1" and "AccelName cryptodev"
>
> A toorc can look like:
> RelayBandwidthRate 0
> RelayBandwidthBurst 0
> HardwareAccel 1
> AccelName dynamic
> Log info file /var/log/tor/info
>
On that note, a lot of the Tor BSD docs have been migrated to the TPO
documentation, and we need to finish migrating the
https://wiki.torbsd.org there also.
But there continues to be a need for more, plus additional translations.
The BSDs have particularly large footprints in some countries that also
happen to lack many Tor relays such as Japan and the Balkan countries.
The "gateway" drug for most people running anything new is FAQs, how-tos
and documentation. A good target might be optimizing BSD relays beyond
the obvious.
g
--
34A6 0A1F F8EF B465 866F F0C5 5D92 1FD1 ECF6 1682
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays