Re: [tor-relays] How to limit number of sockets used?
On Tue, Apr 09, 2013 at 10:19:38PM -0400, Steve Snyder wrote: > I am running Tor v0.2.3.25 in a VPS that limits me to a max of 4096 > sockets in use. How can I instruct Tor not to attempt to use more > than this number? > > Yes, I know about ConstrainedSockets/ConstrainedSockSize, but the > way I read these it limits the amount of memory used, not the socket > count. > > Advice, please? Thanks. I believe there is no such feature currently. How should it work? That is, which connections should it refuse? Currently we assume that all relays are able to reach all other relays. Otherwise we get into the situation where the network isn't a clique, and anonymity analysis from path selection gets complex really quickly ("I saw the connection from that relay, so the hop before that couldn't have been this other relay because there's no link, therefore ...") --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] How to limit number of sockets used?
I am running Tor v0.2.3.25 in a VPS that limits me to a max of 4096 sockets in use. How can I instruct Tor not to attempt to use more than this number? Yes, I know about ConstrainedSockets/ConstrainedSockSize, but the way I read these it limits the amount of memory used, not the socket count. Advice, please? Thanks. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Can you double check my exit policy for usefulness while minimizing complaints
On 04/09/2013 01:26 PM, Mike Perry wrote: > Thus spake Nate Homier (t...@universal-mechanism.org): > >> I was wondering if I have a good compromise between not allowing >> BitTorrent and allowing enough ports to be useful. Here's mine. > > I think the better question is "Why do you think you should remove the > ports you removed from the ReducedExitPolicy?" > > If you can't answer that question, you should just use the > ReducedExitPolicy. > >> How does this compare with this policy located here: >> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy >> >> Should I use the official Tor reduced policy or is mine good enough to >> be useful while minimizing complaints. > > If you're already going to run an exit, it is best to be as permissive > as possible. It is a bad idea arbitrarily restrict the apps that people > can use Tor for without very good reason. > > After you remove bittorrent, most of the abuse mail you'll get will be > due to 80 and 443 anyway. There are also technical reasons to avoid > having 1000 slightly different versions of the reduced exit policy. > > Hence the reduced policy allows every app port that we could find in > use, *except* bittorrent. > Good argument. I'll just use the official reduced policy. I removed the ports in an effort to block BitTorrent, but I see your point. Nate ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 9 Apr 2013 22:59:06 +0600 Roman Mamedov wrote: > On Tue, 9 Apr 2013 12:50:09 -0400 > krishna e bera wrote: > > > So at the risk of being labelled a BadExit (or at best a non-net-neutral > > exit) i > > blocked all of ThePirateBay's ip addresses from my exit node for a > > while. > > I assume you mean firewall-based blocking? You could have simply rejected > those IPs via ExitPolicy (see "man tor"). That's a clear-cut way to tell the > network you don't accept connections to those IPs, and no risk of being > labeled a BadExit. The latter. I dont know if it complicates routing decisions in the Tor network to have lots of ip address exceptions at the exits... signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Can you double check my exit policy for usefulness while minimizing complaints
Thus spake Nate Homier (t...@universal-mechanism.org): > I was wondering if I have a good compromise between not allowing > BitTorrent and allowing enough ports to be useful. Here's mine. I think the better question is "Why do you think you should remove the ports you removed from the ReducedExitPolicy?" If you can't answer that question, you should just use the ReducedExitPolicy. > How does this compare with this policy located here: > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy > > Should I use the official Tor reduced policy or is mine good enough to > be useful while minimizing complaints. If you're already going to run an exit, it is best to be as permissive as possible. It is a bad idea arbitrarily restrict the apps that people can use Tor for without very good reason. After you remove bittorrent, most of the abuse mail you'll get will be due to 80 and 443 anyway. There are also technical reasons to avoid having 1000 slightly different versions of the reduced exit policy. Hence the reduced policy allows every app port that we could find in use, *except* bittorrent. -- Mike Perry signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Can you double check my exit policy for usefulness while minimizing complaints
I was wondering if I have a good compromise between not allowing BitTorrent and allowing enough ports to be useful. Here's mine. ExitPolicy accept *:119 # accept nntp as well as default exit policy ExitPolicy accept *:22 # ssh ExitPolicy accept *:80 # www ExitPolicy accept *:443 # www secure ExitPolicy accept *:110 # pop3 ExitPolicy accept *:143 # imap ExitPolicy accept *:995 # pop3 secure ExitPolicy accept *:6660-6669 # irc ExitPolicy accept *:6697 # irc ssl ExitPolicy accept *:7000-7001 # irc ssl ExitPolicy accept *:706 # silc ExitPolicy accept *:1863 # msn ExitPolicy accept *:5050 # yahoo messenger ExitPolicy accept *:5190 # various im programs ExitPolicy accept *:5222 # various im programs ExitPolicy accept *:5223 # various im programs ExitPolicy accept *:8300 # im ExitPolicy accept *: # www ExitPolicy accept *:465 # smtps (SMTP over SSL) ExitPolicy accept *:993 # imaps (IMAP over SSL) ExitPolicy accept *:994 # ircs (IRC over SSL) ExitPolicy reject *:* # no exits allowed How does this compare with this policy located here: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy Should I use the official Tor reduced policy or is mine good enough to be useful while minimizing complaints. Nate ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 9 Apr 2013 18:01:40 +0100 mick allegedly wrote: > > Though personally I'm with Romanov here. Correction. "Roman" (forgive me Roman). Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On 04/09/2013 07:01 PM, mick wrote: Though personally I'm with Romanov here. Just relay with no exit until you have a better feel for tor. Mick I guess you are right. Thanks for the tips. - Bartels ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 09 Apr 2013 18:33:26 +0200 bartels allegedly wrote: > On 04/09/2013 06:24 PM, Steve Snyder wrote: > > Just make life easy for yourself and use the Reduced Exit Policy: > > > >https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy > Good advice. Had not seen that. > > Must say it is a pretty loose list. I do not see the point in > accessing a squid proxy server over tor. It sort of defeats the > purpose. Or if you really feel you /must/ run an exit at this stage, try limiting yourself to just http and https. ExitPolicy accept *:80 ExitPolicy accept *:443 ExitPolicy reject *.* Though personally I'm with Romanov here. Just relay with no exit until you have a better feel for tor. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 9 Apr 2013 12:50:09 -0400 krishna e bera wrote: > So at the risk of being labelled a BadExit (or at best a non-net-neutral > exit) i > blocked all of ThePirateBay's ip addresses from my exit node for a > while. I assume you mean firewall-based blocking? You could have simply rejected those IPs via ExitPolicy (see "man tor"). That's a clear-cut way to tell the network you don't accept connections to those IPs, and no risk of being labeled a BadExit. -- With respect, Roman signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 09 Apr 2013 18:04:53 +0200 bartels wrote: > On closer inspection, I find that bittorrent can run over the tor network, > like any other traffic. It doesnt run both ways because peers cannot be available for incoming connections, so users will find themselves eventually banned from servers or with lower transfer speeds for not sharing nicely. Also Tor does not (yet) carry UDP traffic. The possible exception is if the peers are entirely in onioncat space. BitTorrenters are really better off using I2P for anonymous bulk transfers though. > Personally, I cannot afford complaints and spend time on legal issues; > however groundless they may be it is not what I do. I had the same problem with my ISP - they had no tolerance for the DMCA complaints and were not willing to just pass them on to me. So at the risk of being labelled a BadExit (or at best a non-net-neutral exit) i blocked all of ThePirateBay's ip addresses from my exit node for a while. That reduced DMCA complaints down to about 1 a year, but because i had clients' sites also running on my server and didnt want any risks i eventually went non-exit. It really depends what jurisdiction you are in. > It leaves me with a question: how do the Paramount people know that my server > carried their stuff? > Did they download it themselves, or do they have their own bittorrent servers? > They must be at either end, or am I mistaken? They have agents who participate in BT swarms (and sometimes poison them), so they can see the ip addresses of seeders and other participants. Some government agencies such as FBI might work with them to enforce copyrights, so they may also have inside snooping info from some ISPs that are hosting torrent servers, or from machines which are those ISPs' gateways. The US Commerce Department might consider it a threat to national security if American companies "intellectual property" is vaguely threatened, so agencies such as NSA or CIA may be sharing info ad hoc under the table etc (remember ECHELON?). ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On 04/09/2013 06:24 PM, Steve Snyder wrote: Just make life easy for yourself and use the Reduced Exit Policy: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy Good advice. Had not seen that. Must say it is a pretty loose list. I do not see the point in accessing a squid proxy server over tor. It sort of defeats the purpose. - bartels. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tuesday, April 9, 2013 12:04pm, "bartels" said: > Forgive my ignorance, I am new to tor and learning. > On closer inspection, I find that bittorrent can run over the tor network, > like > any other traffic. > Personally, I cannot afford complaints and spend time on legal issues; however > groundless they may be it is not what I do. Just make life easy for yourself and use the Reduced Exit Policy: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy To use, just paste these lines into your torrc file. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 09 Apr 2013 18:04:53 +0200 bartels wrote: > Forgive my ignorance, I am new to tor and learning. > On closer inspection, I find that bittorrent can run over the tor network, > like any other traffic. > Personally, I cannot afford complaints and spend time on legal issues; > however groundless they may be it is not what I do. Why don't you just NOT run a freaking EXIT NODE, if you are "new to tor and learning"? Bittorrent can run over the tor network, also Child Pornography can run over the tor network, can you afford spending time on legal issues like this[1] ? I'd say disable the Exit functionality immediately and only open it cautiously much later on, for the ports that you KNOW won't get you in trouble, or will get you in the kinds of trouble you are prepared to deal with. [1]http://arstechnica.com/tech-policy/2012/11/tor-operator-charged-for-child-porn-transmitted-over-his-servers/ -- With respect, Roman signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
Forgive my ignorance, I am new to tor and learning. On closer inspection, I find that bittorrent can run over the tor network, like any other traffic. Personally, I cannot afford complaints and spend time on legal issues; however groundless they may be it is not what I do. It leaves me with a question: how do the Paramount people know that my server carried their stuff? Did they download it themselves, or do they have their own bittorrent servers? They must be at either end, or am I mistaken? Another thing is filtering on bittorrent. The tor site suggests a filter: https://trac.torproject.org/projects/tor/wiki/BlockingBittorrent Looking at it, I find it slightly flawed, because of the port numbers. Instead of using this: wget -qO- http://www.trackon.org/api/all | awk -F/ ' { print $3 }' I would use: wget -qO- http://www.trackon.org/api/all | awk -F: '{ print $2 }' | awk -F/ ' { print $3 }' It would explain why only most bittorrent traffic is blocked. Can anybody confirm this? I don't want to be the newbie messing up someone else's wiki. - Bartels On 04/09/2013 11:21 AM, bartels wrote: Hello Mo, Thanks for answering. My question was not really clear, but the issue is resolved anyway. The server was hacked and is re-installed. So, nothing to do with tor; the exit relay is up and running again. - Bartels On 04/09/2013 10:21 AM, Moritz Bartl wrote: Hi, Most countries have liability exemptions for passing traffic. There is no legal obligation to shut down or anything. See also https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines . What is your question exactly? --Mo On 08.04.2013 18:28, bartels wrote: Hi People, Two days ago I opened two fast tor exit relays v2.3 on debian wheezy. Now I get complaints from paramount that I have unwittingly distributed Hansel and Gretel via BitTorrent 39585 BitTorrent Can this be linked to tor, or is that impossible? I don't want to shut down tor for no reason. - Bartels. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] tor cpu usage
Hey, I'm running a tor relay with version 0.2.4.11-alpha and there seems to be an issue about cpu usage. Usually when the bandwidth peaks (at about 10 MBit/s) the cpu is at about 25-35% load, however after a few days it gets stuck at 100%. The notices-logfile, to my knowledge, does not indicate any weirdness. I'm attaching the "[warn]" section though: Apr 04 18:19:16.000 [warn] crypto error while checking RSA signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1) Apr 04 18:19:16.000 [warn] crypto error while checking RSA signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT) Apr 06 20:38:18.000 [warn] Tried to establish rendezvous on non-OR or non-edge circuit. Apr 06 21:01:05.000 [warn] Tried to establish rendezvous on non-OR or non-edge circuit. Apr 07 04:35:49.000 [warn] eventdns: Unable to add nameserver 2001:4860:4860::: error 2 Apr 07 04:35:49.000 [warn] eventdns: Unable to add nameserver 2001:4860:4860::8844: error 2 Unfortunately I don't do any statistics so I can't relate a specific event with the spiking cpu load. Does anybody else experience this? What could cause this? How can I fix it? Martin ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
Hello Mo, Thanks for answering. My question was not really clear, but the issue is resolved anyway. The server was hacked and is re-installed. So, nothing to do with tor; the exit relay is up and running again. - Bartels On 04/09/2013 10:21 AM, Moritz Bartl wrote: Hi, Most countries have liability exemptions for passing traffic. There is no legal obligation to shut down or anything. See also https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines . What is your question exactly? --Mo On 08.04.2013 18:28, bartels wrote: Hi People, Two days ago I opened two fast tor exit relays v2.3 on debian wheezy. Now I get complaints from paramount that I have unwittingly distributed Hansel and Gretel via BitTorrent 39585 BitTorrent Can this be linked to tor, or is that impossible? I don't want to shut down tor for no reason. - Bartels. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
Hi, Most countries have liability exemptions for passing traffic. There is no legal obligation to shut down or anything. See also https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines . What is your question exactly? --Mo On 08.04.2013 18:28, bartels wrote: > Hi People, > > Two days ago I opened two fast tor exit relays v2.3 on debian wheezy. > Now I get complaints from paramount that I have unwittingly distributed > Hansel and Gretel via BitTorrent > > 39585 > BitTorrent > > > Can this be linked to tor, or is that impossible? > I don't want to shut down tor for no reason. > > - Bartels. > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays