diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/TUNING | 60 | ||||
| -rw-r--r-- | doc/tor-resolve.1.txt | 5 | ||||
| -rw-r--r-- | doc/tor.1.txt | 26 |
3 files changed, 87 insertions, 4 deletions
diff --git a/doc/TUNING b/doc/TUNING index a4bf386dd6..90bd120aa1 100644 --- a/doc/TUNING +++ b/doc/TUNING @@ -35,6 +35,66 @@ when it launches tor service (see launchd.plist(5) manpage). Also, kern.ipc.maxsockets is determined dynamically by the system and thus is read-only on OS X. +OpenBSD +------- + +For recent versions of OpenBSD (5.5 and 5.6, and probably older releases +as well), the maximum number of file descriptors that can be opened is +7030: + +http://unix.stackexchange.com/questions/104929/does-openbsd-have-a-limit-to-the-number-of-file-descriptors/104948#104948 + +The maximum number of file descriptors that an OpenBSD machine can have +open is stored in the sysctl variable kern.maxfiles. This value defaults +to 7030 - to verify this, run sysctl kern.maxfiles. + +To immediately change a running system's file descriptor limit to, for +example, 20,000 files, run sudo sysctl kern.maxfiles=20000. All sysctl +variables are reset upon reboot using defaults and /etc/sysctl.conf, so +to make your change permanent you must add the line kern.maxfiles=20000 +to /etc/sysctl.conf. + +One can also change a maximum number of allowed file descriptors for Tor +daemon alone by editing /etc/rc.d/tor and adding the following lines: + +tor:\ + :openfiles-max=8192:\ + :tc=daemon: + +However, there are stricter limits set on users. This is a security +feature intended to prevent one user from choking out others by opening +all possible file descriptors. + +The stricter limits are set in /etc/login.conf. This config file sets +resource access rules for user classes. You should be running +Tor as a non-privileged daemon user '_tor', which belongs to the 'daemon' +class. It will therefore be subject to the 'default' and 'daemon' rules. +There are two relevant rules: openfiles-cur and openfiles-max. The prior +is the initial limit upon login - the soft limit. The latter is the maximum +limit that can be set using 'ulimit -n' or setrlimit() without editing +/etc/login.conf and rebooting. This is known as the hard limit. + +Without editing /etc/login.conf, daemon-owned processes have +soft limit of 512 open files and a hard limit of 1024 open files. +Tor can increase the soft limit as needed, so you will therefore +eventually get warnings about running out of available file descriptors +once Tor reaches ~1024 open files. + +To increase the hard limit, add the following line to the daemon class +rules in /etc/login.conf: + +tor:\ + :openfiles-max=8192:\ + :tc=daemon: + +Upon restarting the machine, Tor will be able to open up to 6500 file +descriptors. + +Be aware that, by doing this, you are bypassing a security and stability +feature of the OS. If you are running your relay on a weak or old system, +watch your system load to ensure that it can handle this many open files. +Also, Tor may interfere with any other programs that open many files. + Disclaimer ---------- diff --git a/doc/tor-resolve.1.txt b/doc/tor-resolve.1.txt index 341d302244..30e16d5daa 100644 --- a/doc/tor-resolve.1.txt +++ b/doc/tor-resolve.1.txt @@ -14,7 +14,7 @@ tor-resolve - resolve a hostname to an IP address via tor SYNOPSIS -------- -**tor-resolve** [-4|-5] [-v] [-x] __hostname__ [__sockshost__[:__socksport__]] +**tor-resolve** [-4|-5] [-v] [-x] [-p __socksport__] __hostname__ [__sockshost__[:__socksport__]] DESCRIPTION ----------- @@ -40,6 +40,9 @@ OPTIONS Use the SOCKS4a protocol rather than the default SOCKS5 protocol. Doesn't support reverse DNS. +**-p** __socksport__:: + Override the default SOCKS port without setting the hostname. + SEE ALSO -------- **tor**(1), **torify**(1). + diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 9b491f7635..99ab8cb0b3 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -273,7 +273,7 @@ GENERAL OPTIONS all sockets will be set to this limit. Must be a value between 2048 and 262144, in 1024 byte increments. Default of 8192 is recommended. -[[ControlPort]] **ControlPort** __PORT__|**auto**:: +[[ControlPort]] **ControlPort** __PORT__|**unix:**__path__|**auto**:: If set, Tor will accept connections on this port and allow those connections to control the Tor process using the Tor Control Protocol (described in control-spec.txt). Note: unless you also specify one or @@ -294,7 +294,7 @@ GENERAL OPTIONS [[ControlSocket]] **ControlSocket** __Path__:: Like ControlPort, but listens on a Unix domain socket, rather than a TCP - socket. (Unix and Unix-like systems only.) + socket. '0' disables ControlSocket (Unix and Unix-like systems only.) [[ControlSocketsGroupWritable]] **ControlSocketsGroupWritable** **0**|**1**:: If this option is set to 0, don't allow the filesystem group to read and @@ -483,6 +483,11 @@ GENERAL OPTIONS in accordance to RFC 1929. Both username and password must be between 1 and 255 characters. +[[SocksSocketsGroupWritable]] **SocksSocketsGroupWritable** **0**|**1**:: + If this option is set to 0, don't allow the filesystem group to read and + write unix sockets (e.g. SocksSocket). If the option is set to 1, make + the SocksSocket socket readable and writable by the default GID. (Default: 0) + [[KeepalivePeriod]] **KeepalivePeriod** __NUM__:: To keep firewalls from expiring connections, send a padding keepalive cell every NUM seconds on open connections that are in use. If the connection @@ -948,7 +953,7 @@ The following options are useful only for clients (that is, if the same circuit. Currently, two addresses are "too close" if they lie in the same /16 range. (Default: 1) -[[SOCKSPort]] **SOCKSPort** \['address':]__port__|**auto** [_flags_] [_isolation flags_]:: +[[SOCKSPort]] **SOCKSPort** \['address':]__port__|**unix:**__path__|**auto** [_flags_] [_isolation flags_]:: Open this port to listen for connections from SOCKS-speaking applications. Set this to 0 if you don't want to allow application connections via SOCKS. Set it to "auto" to have Tor pick a port for @@ -2090,6 +2095,12 @@ The following options are used to configure a hidden service. found in the hostname file. Clients need to put this authorization data in their configuration file using **HidServAuth**. +[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**:: + If set to 1, then connections to unrecognized ports do not cause the + current hidden service to close rendezvous circuits. (Setting this to 0 is + not an authorization mechanism; it is instead meant to be a mild + inconvenience to port-scanners.) (Default: 0) + [[RendPostPeriod]] **RendPostPeriod** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: Every time the specified period elapses, Tor uploads any rendezvous service descriptors to the directory servers. This information is also @@ -2251,6 +2262,15 @@ The following options are used for running a testing Tor network. In order for this option to have any effect, **TestingTorNetwork** has to be set. +[[TestingDirAuthVoteHSDir]] **TestingDirAuthVoteHSDir** __node__,__node__,__...__:: + A list of identity fingerprints and country codes and + address patterns of nodes to vote HSDir for regardless of their + uptime and ORPort connectivity. See the **ExcludeNodes** option for more + information on how to specify nodes. + + + In order for this option to have any effect, **TestingTorNetwork** + and **VoteOnHidServDirectoriesV2** both have to be set. + [[TestingEnableConnBwEvent]] **TestingEnableConnBwEvent** **0**|**1**:: If this option is set, then Tor controllers may register for CONN_BW events. Changing this requires that **TestingTorNetwork** is set. |