From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 21:41:16 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A883C16A402 for ; Thu, 22 Feb 2007 21:41:16 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.freebsd.org (Postfix) with ESMTP id 21E3C13C46B for ; Thu, 22 Feb 2007 21:41:15 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-3) with ESMTP id l1MLeKna015335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 22 Feb 2007 23:40:26 +0200 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.13.8/8.13.8) with ESMTP id l1MLe1ni001978; Thu, 22 Feb 2007 23:40:13 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.13.8/8.13.8/Submit) id l1MLe1SK001977; Thu, 22 Feb 2007 23:40:01 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 22 Feb 2007 23:40:01 +0200 From: Giorgos Keramidas To: RW Message-ID: <20070222214001.GC1781@kobe.laptop> References: <200702202021.55723.pablo.fernandez@rs.com.ar> <19861fba0702211038p3144271ey1e30cf67311678ef@mail.gmail.com> <20070222143030.0b858e86@gumby.homeunix.com> <20070222150418.GA3298@kobe.laptop> <20070222155223.0dd15975@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070222155223.0dd15975@gumby.homeunix.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.498, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.70, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: PF slowing down file copies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 21:41:16 -0000 On 2007-02-22 15:52, RW wrote: >On Thu, 22 Feb 2007 17:04:18 +0200 >Giorgos Keramidas wrote: >>On 2007-02-22 14:30, RW wrote: >>>On Wed, 21 Feb 2007 19:38:39 +0100 >>>J65nko wrote: >>>> For keeping state on TCP connections you should only create state >>>> on the first packet of the 3 way TCP handshake. Using "flags S/SA" >>>> will ensure this. This will prevent problems with TCP windows >>>> scaling.. >>> >>> Why? Creating a state entry causes subsequent packets, in the same >>> tcp connection, to bypass the rules altogether. >> >> Because a state entry is a rule by itself. A special 'rule', but >> still a rule. As such, each state-table entry requires a finite >> amount of resources. Conserving resources, whenever possible, is a >> good idea. >> >> Creating 10 packets for a connection whose 'traffic' requires 10 TCP >> segments to be transmitted, and 9000 state entries for a TCP >> connection whose data payload needs 9000 segments to be transmitted >> is kind of silly. Especially since it is entirely legal and easy to >> do the same thing with only 2 state entries (one for each connection). > > The way PF works is that it first checks if there is a state entry > matching the packet's address, port and protocol , if there is the > state entry is used to determine what is done with the packet. Only if > there is no matching entry is the script used instead. As I already > said "Creating a state entry causes subsequent packets, in the same > tcp connection, to bypass the rules altogether". > > The point of testing for s/sa is to avoid creating long-lived state > entries for illegal or out-of-sequence packets. The state created by > s/sa has a very short lifetime. This conserves resources and protects > against some DOS attacks. I see. I've recently discovered that IPFilter v4.0.2 on Solaris 10 had a bug in the state expiry code. States for packets without S/SA expire after 10 days, instead of a few seconds like the S/SA states. I haven't verified that this doesn't apply to PF, but since PF is a very different firewall I'll extract my foot from my mouth and go read the source now :)