[Tor-BSD] OpenBSD pf rules...
george at ceetonetechnology.com
Fri Dec 12 09:18:56 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
> Excuse the delayed reply, but do you have any sources or reading
> material you'd like to share on this? I've noticed that OpenBSD
> relays (mine and others') tend to underperform, and I'm beginning
> to suspect that there's an issue with high-connection-count network
> efficiency. It was always just a passing inkling, but I'm
> interested in learning more about pf's latency cost.
np for delayed reply... please reply either below or inline though.
Top-posting makes it difficult to carry a thread.
I don't know if pf is the issue. AFAIK, OpenBSD's doesn't, at least
by default, push the network traffic that FreeBSD does. Netflix
initially dropped in default config boxes for their network with
straight FreeBSD 10. It just worked and worked fast. OpenBSD doesn't
just allow a huge number of open files/sockets by default for the sake
of security and sanity.
ipfw is generally considered lighter than pf, but it's something that
has always just been *said* in BSD circles for years. I don't have
anything to show for it. There may be comparisons out there.
The fundamental problem though, is actually proving what is and isn't
faster with Tor, going back to my GNN discussion. You need to test it
on the Tor network itself, and due to the randomness of the
connections due to the nature of the network, you don't have much
control as you would in a lab. Just testing in a lab environment
might show a faster, well-tweaked network stack, but it doesn't mean
it will reflect in the living, breathing Tor network.
A lot of network tweaking comes down to a bunch of sysctls, kern
options, NIC selection and configuration, not to mention the network
past the NIC. So pick the best supported network card for your OS,
tweak the appropriate sysctls and kernel options based on limits(1),
netstat(1), etc. Then I think, wait and run the relay for a while to
see the amount of bandwidth relayed, the number of connections, etc.
I also think it might be worth pinging those people running
high-bandwidth Tor relays on BSDs, and see what they did.
Anyone else have input on this?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Tor-BSD