[Tor-BSD] OpenBSD pf rules...

George Rosamond george at ceetonetechnology.com
Fri Dec 12 09:18:56 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Libertas:
> Excuse the delayed reply, but do you have any sources or reading 
> material you'd like to share on this? I've noticed that OpenBSD
> relays (mine and others') tend to underperform, and I'm beginning
> to suspect that there's an issue with high-connection-count network
> efficiency. It was always just a passing inkling, but I'm
> interested in learning more about pf's latency cost.

np for delayed reply... please reply either below or inline though.
Top-posting makes it difficult to carry a thread.

I don't know if pf is the issue.  AFAIK, OpenBSD's doesn't, at least
by default, push the network traffic that FreeBSD does.  Netflix
initially dropped in default config boxes for their network with
straight FreeBSD 10.  It just worked and worked fast.  OpenBSD doesn't
just allow a huge number of open files/sockets by default for the sake
of security and sanity.

ipfw is generally considered lighter than pf, but it's something that
has always just been *said* in BSD circles for years.  I don't have
anything to show for it.  There may be comparisons out there.

The fundamental problem though, is actually proving what is and isn't
faster with Tor, going back to my GNN discussion.  You need to test it
on the Tor network itself, and due to the randomness of the
connections due to the nature of the network, you don't have much
control as you would in a lab.  Just testing in a lab environment
might show a faster, well-tweaked network stack, but it doesn't mean
it will reflect in the living, breathing Tor network.

A lot of network tweaking comes down to a bunch of sysctls, kern
options, NIC selection and configuration, not to mention the network
past the NIC.  So pick the best supported network card for your OS,
tweak the appropriate sysctls and kernel options based on limits(1),
netstat(1), etc.  Then I think,  wait and run the relay for a while to
see the amount of bandwidth relayed, the number of connections, etc.

I also think it might be worth pinging those people running
high-bandwidth Tor relays on BSDs, and see what they did.

Anyone else have input on this?

g
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUivlNAAoJEDWHyurqDVf+phYP/2YH3uB91zcu6Z2QlqdMvBiC
N6jng5qd6BV52dspUF2Ud1q/FNBUX1OxXO5/3JpSxU5WvpZfT62EBUPP+M8St9lg
iED2ZGOz9CYMKr+DcF5b38E6YzfcYN3GI3Hl8TFNRnSpeasd89XSJzCyO2Qd9dRd
Mfeb0XmbtLzxXkh4OBZ2Jq55spGhrPz0rEEi+ZlFyFLbXt0M1sB5QsYs9yBn6YLb
FvRdFeFlAZcynCV4w/7X6RSUFOg7QvmIuoVhxvhFaH3XlrMr7/WvQ6eEYvHbJNlk
PLGZKkraRycUpL6PeanSM+VgP7ICQTZ2BxLx4uIYsqVAxQNX0VnqVegO7L4N9MbO
RK+JllYviBplHTSK7mMFgB0sNMXz0CsIZg9i/uXcvB0hlUMAmofAKKKv1LFGpybE
TrhcNwDHUP9U2ThxkIGVtlQYFqnWAuOnS8NB28qxyOi5iNIoIRi2GPBNF2sNYkb0
HU3Qe1ToseJPp+qwqf9rtBzMWqZv1KjHrjGM9TxG1CjTUCSr2uQDTioKUPVGLNNW
RLtGdI5Ph2cSgk7WSVY+4SpnvF1rw4FY2l0h2diBeXcZoQW2+NMkcpIKknvfXc7q
Vzsv4ZV7tiKPtm24KBYtFf/rHZdyN9OEs7zFznB5apIrfOPwhlK6krq53hj6bm77
k3reW2dt1WR7WIrKELD8
=THuR
-----END PGP SIGNATURE-----


More information about the Tor-BSD mailing list