[tor-relays] High conntrack session count
Sec INT
sec.int9 at gmail.com
Wed Jan 4 13:32:25 UTC 2017
Its a limit that many vps suppliers set > 30000 gets you a warning - I'll set the limit to 29k tonight - its only an issue on shared resources like vps
Cheers
Mark B
Snaptor.co.uk (non commercial)
> On 4 Jan 2017, at 13:16, Zack Weinberg <zackw at cmu.edu> wrote:
>
>> On Wed, Jan 4, 2017 at 8:05 AM, Sec INT <sec.int9 at gmail.com> wrote:
>>
>> Just had an issue on a 60mbps exit where conntrack sessions went over the usual 30000 limit - is this possible for a normal operating exit relay? Is there any default limit set on this or indeed is there a setting intorrc to control the number of sessions?
>
> Yes, it is perfectly normal for an exit to have tens of thousands of
> active TCP sessions.
>
> An exit doesn't get a lot of use out of a firewall. Your only sockets
> listening to the public network (netstat -lnt) should be Tor, SSH, and
> the "this is an exit" page on port 80. fail2ban-type protection for
> the ssh port *may* be worth it, but I don't see what you would need
> conntrack for.
>
> zw
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list