[tor-relays] High conntrack session count
Zack Weinberg
zackw at cmu.edu
Wed Jan 4 13:16:28 UTC 2017
On Wed, Jan 4, 2017 at 8:05 AM, Sec INT <sec.int9 at gmail.com> wrote:
>
> Just had an issue on a 60mbps exit where conntrack sessions went over the usual 30000 limit - is this possible for a normal operating exit relay? Is there any default limit set on this or indeed is there a setting intorrc to control the number of sessions?
Yes, it is perfectly normal for an exit to have tens of thousands of
active TCP sessions.
An exit doesn't get a lot of use out of a firewall. Your only sockets
listening to the public network (netstat -lnt) should be Tor, SSH, and
the "this is an exit" page on port 80. fail2ban-type protection for
the ssh port *may* be worth it, but I don't see what you would need
conntrack for.
zw
More information about the tor-relays
mailing list