Hmmm. I think it's time to change to another provider.
Quintin
On Fri, Jan 26, 2018 at 12:43 PM nusenu wrote:
> If your hoster suspends your server if you exceed 10k concurrent
> connections
> I'm afraid it is probably not suitable for an exit relay (regardless of
> your own iptables ruleset).
If your hoster suspends your server if you exceed 10k concurrent connections
I'm afraid it is probably not suitable for an exit relay (regardless of
your own iptables ruleset).
A non-exit (single instance) relay would fit into a 10k limit.
--
https://mastodon.social/@nusenu
twitter: @nusenu_
Hi nusenu,
Server has now been unsuspended, and is back online. You asked "do you
require a stateful packet filter?". Do you mean to disable conntrack?
I have removed all my connection tracking iptables entries. My iptables
looks like this now. Will keep an eye on it now.
**filter*
*:INPUT ACCEP
Quintin:
> Seems my VPS got suspended when I increased the connlimit above 1. Do
> you think my INPUT filters which use conntrack could have caused this issue?
You did confirm that already, no?
--
https://mastodon.social/@nusenu
twitter: @nusenu_
signature.asc
Description: OpenPGP digit
Seems my VPS got suspended when I increased the connlimit above 1. Do
you think my INPUT filters which use conntrack could have caused this issue?
On Mon, Jan 22, 2018 at 10:55 AM eric gisse wrote:
> I can kinda answer that.
>
> I run an exit node that happily does 200-250mbit/s according t
I can kinda answer that.
I run an exit node that happily does 200-250mbit/s according to
netdata accounting and my monitoring regularly pegs it at nearly 200k
connections. Usually 100-150k.
On Sun, Jan 21, 2018 at 4:06 PM, nusenu wrote:
>
>
> Quintin:
>> Ah, thats it. My conntrack entries are fu
Quintin:
> Ah, thats it. My conntrack entries are full and temporarily increasing it
> resolves the problem.
I'm glad we found the problem and the solution.
Your exit appears to be offline since 2018-01-20 20:00, expected downtime?
https://atlas.torproject.org/#details/92E3764D5485DC4AC01178271
Ah, thats it. My conntrack entries are full and temporarily increasing it
resolves the problem.
What would be a reasonable conntrack limit for a tor exit?
On Thu, Jan 18, 2018 at 10:45 PM nusenu wrote:
>
>
> Quintin:
> >> Do you reach your server's conntrack limit?
> >
> > The word conntrack n
Quintin:
>> Do you reach your server's conntrack limit?
>
> The word conntrack never appears in my logs, so I don't think it's that.
> The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max =
> 1
How many conntrack entries do you actually have when you get
sendto failed:
> Do you reach your server's conntrack limit?
The word conntrack never appears in my logs, so I don't think it's that.
The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max =
1
> Try setting RelayBandwidthRate to 95% of your link capacity.
Why 95%? Are you thinking to giv
Quintin:
> No outbound filters, this is my config:
>
> If I stop tor then "dig @127.0.0.1 google.com" works 100%. It's seems like
> the pattern is that when tor traffic builds up so do DNS failures. And then
> my dig @127.0.0.1 only succeeds about 0.1% of the time. At this stage large
> amounts th
> On 19 Jan 2018, at 06:06, Quintin wrote:
>
> No outbound filters, this is my config:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p
No outbound filters, this is my config:
**filter*
*:INPUT ACCEPT [0:0]*
*:FORWARD ACCEPT [0:0]*
*:OUTPUT ACCEPT [0:0]*
*-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT*
*-A INPUT -p icmp -j ACCEPT*
*-A INPUT -i lo -j ACCEPT*
*-A INPUT -p tcp -m comment --comment "SSH" -s x.x.x.x -m state -
wrote:
> Resent under the correct alias.
>
> I'm having high amounts of failures on this VPS (PulseServers). I run a
> local unbound instance, and see an incredible amount of:
> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation
> not permitted
> Jan 17 19:27:33 torexit unb
14 matches
Mail list logo
