When running a Tor relay behind a consumer-grade router (or a crappy piece of plastic like the routers provided by Vodafone), it can bring the router to a grinding halt. A tor relay connects to multiple other relays, sometimes with 1000 connections or more. Turns out that the NAT implementation in those routers isn’t that good.
I was looking for a way to limit the connections a Tor relay can open. First I tried the good ol' iptables:
iptables -A INPUT -p tcp --syn --dport 9001 -m connlimit --connlimit-above 1000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset
This limits the connections on port 9001 to 1000. Turns out, that wasn’t such a good idea. My relay appeared offline in the Tor relay search.
After asking on the mailing list, I got the hint that the way to go is not to block the connections in the firewall, but to limit the number of open files of the tor process.
My Tor relay has been started from systemd, so I added the LimitNOFILE = 1000
to the unit. This limits the number of open
file descriptors to 1000.
Turns out, this isn’t such a good idea either. The relay still appears offline. You need at least 6000 file descriptors to run a relay. Which my crappy router doesn’t support. So I’m going to run a bridge.
But in case you want to limit tors connection count, use the NOFILE
limit.