Dennis Ljungmark: > Hi, > We're currently running 6 different 100-200Mbit relay/guard nodes, and > are looking at some issues moving on towards high performant exit nodes. > > There are some administrative issues ( needing another IP block due to > the RIPE registration, our ISP doesn't want their name on the exit nodes > that we are responsible for ) > which are generally minor ( are being resolved anyhow ) and then the big > stumbling block. > > Right now, with iptables modifications ( raw tables hacks to disable > conntrack, bucket increases, following the general best practices ) our > firewall is running at high amounts of CPU, but coping. However, once we > start introducing Exit Nodes into this equation, things turn sour. > > So, since we do not want to trust only routing level separation between > Exit Nodes and internal networks, we're going to have to invest into new > hardware that can cope with this. Before this, we tried Ingate firewalls, > and they weren't capable of coping with the load of guard nodes. > > ( The traditional "linux box in front" doesn't quite cut it due to > networking hardware in most cases. ) > > So, > in summary, when you get to the point of actively dealing with 8-900Mbps > of Tor traffic ( on top of normal users and others) what hardware is needed > to cope with firewalling? >
Hey Dennis, What hardware are you using? In general iptables/netfilter should be able to handle more than 200Mb without any trouble at all. I wonder if your network card is an issue? What CPUs are you using? What versions of OpenSSL and other relevant software are in use? All the best, Jacob _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
