On Fri, Dec 14, 2007 at 09:34:36AM -0600, Scott Bennett wrote: > Thank you. You just brought forward the thing that has been eluding > my recollection since this thread started. Linksys routers do not have > enough memory for the NAT table to run a tor exit server, and they do not
Are you sure OpenWRT on a Linksys can't handle the states with 32 MBytes RAM, and a 0.2..0.5 MBit/s upstream? I've just looked at the state table (256 kBit/s allocated to Tor middleman via Vidalia) in my pfSense 1.2 RC3, and it has about 360 entries (pfSense uses about 1 k RAM/state). It should be possible to handle some 5 k states with 32 MBytes of RAM, assuming iptables (or whatever 2.4 uses) scale similiarly. IIRC just the other day someone mentioned a Tor package for Pfsense -- was that on this list? > handle a table overflow condition gracefully. What happens when a SYN goes > out at a time when the table is full is that the connection never happens, > which is reasonable enough, but when table entries have later been freed, > outbound connections continue to fail. This remains the situation until > the router has been rebooted. The states never expire? I'm running my router with most conservative settings. > In my experience, a Linksys router on a Comcast connection may run for > days before the above described situation occurs, but OTOH, it may only run > for an hour or two before it happens. It is conceivable that the same might > occur for a middleman-only server, but far less likely because connections > to the outside will normally be far fewer, given that many circuits, each > with perhaps multiple streams, may be funneled through a single TCP connection > with its corresponding NAT table entry. In the case of an exit server, every > stream that exits needs its own NAT table entry. > FWIW, a *BSD or LINUX system running as a router with natd(8) on it Linksys uses Linux (Vxworks for its more braindead types of routers which I know nothing about), but the default firmware is pretty pathetic. Once again I very much recommend using pfSense (or m0n0wall) for your home router on embedded hardware (the sky is the limit on nonembedded, I'm running it on a SunFire X2100 M2 at work). > will have no such problem because it doesn't suffer from the memory > limitation. The same might also be true for Windows, but I shudder at the > thought of trusting Windows as a router/firewall, and I don't know what is > available as a NAT server in Windows. -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
