[tor-relays] debugging unbound on 'torexit' failing DNS queries
Quintin
tor-admin at portaltodark.world
Sat Jan 20 20:00:18 UTC 2018
Ah, thats it. My conntrack entries are full and temporarily increasing it
resolves the problem.
What would be a reasonable conntrack limit for a tor exit?
On Thu, Jan 18, 2018 at 10:45 PM nusenu <nusenu-lists at riseup.net> wrote:
>
>
> Quintin:
> >> Do you reach your server's conntrack limit?
> >
> > The word conntrack never appears in my logs, so I don't think it's that.
> > The ISP also requires this from tor exits:
> net.netfilter.nf_conntrack_max =
> > 10000
>
> How many conntrack entries do you actually have when you get
> sendto failed: Operation not permitted
> log entries?
>
> sysctl net.netfilter.nf_conntrack_count
> or
> cat /proc/sys/net/netfilter/nf_conntrack_count
>
> Regardless of whether this is the root-cause or not,
> nf_conntrack_max = 10k is probably to low for an exit relay.
>
> If nf_conntrack_count is near nf_conntrack_max, does the problem
> go away when you temporarily increase nf_conntrack_max?
>
> --
> https://mastodon.social/@nusenu
> twitter: @nusenu_
>
>
--
0101100101000001010010000101011101000101010010000010000001000010
0100110001000101010100110101001100100000010110010100111101010101
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180120/660de41f/attachment.html>
More information about the tor-relays
mailing list