[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries



Ah, thats it. My conntrack entries are full and temporarily increasing it resolves the problem.

What would be a reasonable conntrack limit for a tor exit?


On Thu, Jan 18, 2018 at 10:45 PM nusenu <nusenu-lists@xxxxxxxxxx> wrote:


Quintin:
>> Do you reach your server's conntrack limit?
>
> The word conntrack never appears in my logs, so I don't think it's that.
> The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max =
> 10000

How many conntrack entries do you actually have when you get
sendto failed: Operation not permitted
log entries?

sysctl net.netfilter.nf_conntrack_count
or
cat /proc/sys/net/netfilter/nf_conntrack_count

Regardless of whether this is the root-cause or not,
nf_conntrack_max = 10k is probably to low for an exit relay.

If nf_conntrack_count is near nf_conntrack_max, does the problem
go away when you temporarily increase nf_conntrack_max?

--
https://mastodon.social/@nusenu
twitter: @nusenu_



--
0101100101000001010010000101011101000101010010000010000001000010
0100110001000101010100110101001100100000010110010100111101010101
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays