From owner-freebsd-pf@FreeBSD.ORG Sun Nov 29 16:05:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1951D1065693 for ; Sun, 29 Nov 2009 16:05:41 +0000 (UTC) (envelope-from bcook@poughkeepsieschools.org) Received: from a.outbound.bsdwebsolutions.com (a.outbound.bsdwebsolutions.com [64.72.68.2]) by mx1.freebsd.org (Postfix) with ESMTP id DA9848FC1A for ; Sun, 29 Nov 2009 16:05:40 +0000 (UTC) Received: from mail.bsdwebsolutions.com ([64.72.68.15]) by a.outbound.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD Web Solutions, Inc.) (envelope-from ) id 1NElZM-000HFQ-2W for freebsd-pf@freebsd.org; Sun, 29 Nov 2009 10:20:12 -0500 Received: from [207.241.248.11] (port=55855 helo=mail.poughkeepsieschools.org) by mail.bsdwebsolutions.com with esmtps (TLSv1:AES256-SHA:256) (BSD WebSolutions, Inc.) (envelope-from ) id 1NElZL-000O2E-SL for freebsd-pf@freebsd.org ; Sun, 29 Nov 2009 10:20:12 -0500 Received: from [96.233.198.34] (port=59059 helo=iMac.home) by mail.poughkeepsieschools.org with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (BSD WebSolutions, Inc.) (envelope-from ) id 1NElZL-000L2n-JU for freebsd-pf@freebsd.org (authenticated as bcook@poughkeepsieschools.org); Sun, 29 Nov 2009 10:20:11 -0500 Message-ID: <4B12912B.6080900@poughkeepsieschools.org> Date: Sun, 29 Nov 2009 10:20:11 -0500 From: "B. Cook" User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.4pre) Gecko/20090915 Lightning/1.0pre Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 207.241.248.11 Subject: trying to figure out how to altq single interface.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2009 16:05:41 -0000 I'm trying to setup a valid test case on a single machine running FreeBSD 8.0R. (amd64 and i386) Seems all of the pf/altq examples assume that FreeBSD is the router, and you are working with more than on interface. I am trying to shape my traffic on a per physical server basis with on a *single* interface where the NAT is performed elsewhere. I understand the logic that you can only queue outgoing. My goal is to have full bandwidth for the local network (interface speed) with ack priq if possible - and - have queues for services when the "not local network" users access them. There are ASA devices further up the line from me which I have no control over; they are providing NAT.. we have a large private network (10.20.0.0/18) but we have some machines that serve the public as well as serves the lan. (feel free to interject reality into my logic where need be.. ) here is what I have come up with as far as altq/queues is concerned: pfctl -sq queue root_bge0 on bge0 bandwidth 1Mb priority 0 cbq( wrr root ) {idef, iack, http, dns, mua, icmp, smtp, ssh} queue idef on bge0 bandwidth 100Kb cbq( borrow default ) queue iack on bge0 bandwidth 100Kb priority 7 cbq( borrow ) queue http on bge0 bandwidth 800Kb priority 5 cbq( borrow ) queue dns on bge0 bandwidth 200Kb priority 6 cbq( borrow ) queue mua on bge0 bandwidth 800Kb priority 2 cbq( borrow ) queue icmp on bge0 bandwidth 50Kb priority 6 queue smtp on bge0 bandwidth 500Kb cbq( borrow ) queue ssh on bge0 bandwidth 100Kb priority 6 cbq( borrow ) {scp, term} queue scp on bge0 bandwidth 80Kb priority 0 queue term on bge0 bandwidth 20Kb priority 7 (or if it matters - directly from pf.conf.local) 48 altq on $ext_if cbq bandwidth 1Mb queue { idef, iack, http, dns, mua, icmp, smtp, ssh } 49 queue idef bandwidth 10% cbq(default borrow) 50 queue iack bandwidth 10% cbq(borrow) priority 7 51 queue http bandwidth 80% cbq(borrow) priority 5 52 queue dns bandwidth 20% cbq(borrow) priority 6 53 queue mua bandwidth 80% cbq(borrow) priority 2 54 queue icmp bandwidth 5% priority 6 55 queue smtp bandwidth 50% cbq(borrow) priority 1 56 queue ssh bandwidth 10% cbq(borrow) priority 6 { scp, term } 57 queue scp bandwidth 80% priority 0 58 queue term bandwidth 20% priority 7 My question(s) are: When do I apply things to pass in and when do I apply to pass out? It seems when I don't apply a queue rule to a pass in/out rule the default kicks in, which is fine; but why does it 'queue on inbound' when it can only 'queue on outbound'? - is keeping state what is altering that? pfctl -sr | cat -n 1 scrub in all no-df random-id fragment reassemble 2 block return in log all 3 block return in log quick from to any 4 pass out on bge0 inet proto icmp from (bge0) to any keep state queue icmp 5 pass out on bge0 inet proto udp from (bge0) to any port = domain keep state queue dns 6 pass out on bge0 inet proto udp from (bge0) to any port = ntp keep state queue dns 7 pass out on bge0 inet proto udp from (bge0) to any port = snmp keep state queue dns 8 pass out on bge0 inet proto tcp from (bge0) to any port = ssh flags S/SA keep state queue(scp, term) 9 block drop in log quick on ! bge0 inet from 10.20.0.0/25 to any 10 block drop in log quick inet from 10.20.0.5 to any 11 block drop in log quick inet from 10.20.0.4 to any 12 block drop in log quick inet from 10.20.0.19 to any 13 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = domain keep state queue dns 14 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = ntp keep state queue dns 15 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = snmp keep state queue dns 16 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = syslog keep state queue dns 17 pass in quick on bge0 inet proto udp from any to 10.20.0.19 port = domain keep state queue dns 18 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0) port = smtp flags S/SA keep state 19 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0) port = rsync flags S/SA keep state 20 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = ssh flags S/SA keep state queue(scp, term) 21 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = http flags S/SA keep state queue(http, iack) 22 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = https flags S/SA keep state queue(http, iack) 23 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = 2359 flags S/SA keep state queue(http, iack) 24 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = 2812 flags S/SA keep state queue(http, iack) 25 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = domain keep state 26 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = ntp keep state 27 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = snmp keep state 28 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = syslog keep state 29 pass in quick on bge0 inet proto icmp from any to (bge0) icmp-type echoreq code 0 keep state All of these rules might not quite be valid public services, but I was looking for real services that I could test with. Also afaict FreeBSD 8 is running with (approximately) version 4.1 of OpenBSDs PF; is that correct? Assumed from pftop compile output of: cc -O2 -pipe -DHAVE_ALTQ=1 -fno-strict-aliasing -Wall -DOS_LEVEL=41 -std=gnu99 -fstack-protector -c pftop.c From owner-freebsd-pf@FreeBSD.ORG Mon Nov 30 11:06:59 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E680F106566C for ; Mon, 30 Nov 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CB2208FC23 for ; Mon, 30 Nov 2009 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAUB6wkt043509 for ; Mon, 30 Nov 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAUB6wF5043507 for freebsd-pf@FreeBSD.org; Mon, 30 Nov 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Nov 2009 11:06:58 GMT Message-Id: <200911301106.nAUB6wF5043507@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 37 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 3 08:44:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6254E106578C for ; Thu, 3 Dec 2009 08:44:18 +0000 (UTC) (envelope-from wooh@wooh.hu) Received: from mail.netidea.hu (netwarehouse.netidea.hu [195.228.254.126]) by mx1.freebsd.org (Postfix) with ESMTP id 208538FC0A for ; Thu, 3 Dec 2009 08:44:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netidea.hu (Postfix) with ESMTP id 696BC127F63 for ; Thu, 3 Dec 2009 09:12:24 +0100 (CET) X-Virus-Scanned: amavisd-new at netidea.hu Received: from mail.netidea.hu ([127.0.0.1]) by localhost (mail.netidea.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ecLuOf-2U+W for ; Thu, 3 Dec 2009 09:12:21 +0100 (CET) Received: from [192.168.0.100] (catv-89-134-206-111.catv.broadband.hu [89.134.206.111]) by mail.netidea.hu (Postfix) with ESMTP id 24B5A127E46 for ; Thu, 3 Dec 2009 09:12:21 +0100 (CET) Message-ID: <4B1773F6.4040508@wooh.hu> Date: Thu, 03 Dec 2009 09:16:54 +0100 From: Adam PAPAI User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF + load balancing over 100Mbit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 08:44:18 -0000 Dear List, I have a feeling that PF can't do perfect round-robin load balancing over 100Mbit. When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network traffic goes over 100Mbit, the 80 port's connect time increases to 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers feel good, they don't have load, the redundant master-slave database servers feel good, they dont have high load. So everything seems fine, except the connect time. (Our checker script asks only a HEAD request from the web servers) The internal network has Gbit connection so as the internet side. Do you have any advice? Is it time to get a Layer 7 switch and do load balancing with it? Or is it possible to do it in a PF way without a Content Switch? 2 web servers and 2 database servers are involved. [web 1] ---| [web 2] ---| [db 1] ---|---[pf/web 3/default gw]---internet [db 2] ---| For a while the web server on the PF server is down to test, but it does the same connection time with a running apache and without a running apache. Any idea? Our internet traffic average is 100Mbit-130Mbit and the connect time makes me so sad. Thanks in advance, -- Adam PAPAI NETIDEA Informatikai Szolgaltato Kft. http://www.netidea.hu E-mail: wooh@wooh.hu From owner-freebsd-pf@FreeBSD.ORG Thu Dec 3 08:44:19 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC5F71065676 for ; Thu, 3 Dec 2009 08:44:19 +0000 (UTC) (envelope-from wooh@wooh.hu) Received: from mail.netidea.hu (netwarehouse.netidea.hu [195.228.254.126]) by mx1.freebsd.org (Postfix) with ESMTP id 208CC8FC0C for ; Thu, 3 Dec 2009 08:44:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netidea.hu (Postfix) with ESMTP id 0A0F812818E for ; Thu, 3 Dec 2009 09:14:56 +0100 (CET) X-Virus-Scanned: amavisd-new at netidea.hu Received: from mail.netidea.hu ([127.0.0.1]) by localhost (mail.netidea.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id inwcATyF2eTQ for ; Thu, 3 Dec 2009 09:14:55 +0100 (CET) Received: from [192.168.0.100] (catv-89-134-206-111.catv.broadband.hu [89.134.206.111]) by mail.netidea.hu (Postfix) with ESMTP id BC445127E84 for ; Thu, 3 Dec 2009 09:14:55 +0100 (CET) Message-ID: <4B177491.30402@wooh.hu> Date: Thu, 03 Dec 2009 09:19:29 +0100 From: Adam PAPAI User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF + load balancing over 100Mbit traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 08:44:19 -0000 Dear List, I have a feeling that PF can't do perfect round-robin load balancing over 100Mbit. When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network traffic goes over 100Mbit, the 80 port's connect time increases to 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers feel good, they don't have load, the redundant master-slave database servers feel good, they dont have high load. So everything seems fine, except the connect time. (Our checker script asks only a HEAD request from the web servers) The internal network has Gbit connection so as the internet side. Do you have any advice? Is it time to get a Layer 7 switch and do load balancing with it? Or is it possible to do it in a PF way without a Content Switch? 2 web servers and 2 database servers are involved. [web 1] ---| [web 2] ---| [db 1] ---|---[pf/web 3/default gw]---internet [db 2] ---| For a while the web server on the PF server is down to test, but it does the same connection time with a running apache and without a running apache. Any idea? Our internet traffic average is 100Mbit-130Mbit and the connect time makes me so sad. Thanks in advance, -- Adam PAPAI NETIDEA Informatikai Szolgaltato Kft. http://www.netidea.hu E-mail: wooh@wooh.hu From owner-freebsd-pf@FreeBSD.ORG Thu Dec 3 09:28:35 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D2EB1065695 for ; Thu, 3 Dec 2009 09:28:35 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id D37CD8FC21 for ; Thu, 3 Dec 2009 09:28:34 +0000 (UTC) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NG7kh-000LdW-Mg; Thu, 03 Dec 2009 10:13:31 +0100 Date: Thu, 3 Dec 2009 10:13:27 +0100 From: Gergely CZUCZY To: Adam PAPAI Message-ID: <20091203101327.00004dac@unknown> In-Reply-To: <4B177491.30402@wooh.hu> References: <4B177491.30402@wooh.hu> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF + load balancing over 100Mbit traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 09:28:35 -0000 On Thu, 03 Dec 2009 09:19:29 +0100 Adam PAPAI wrote: > Dear List, > > I have a feeling that PF can't do perfect round-robin load balancing > over 100Mbit. > > When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network > traffic goes over 100Mbit, the 80 port's connect time increases to > 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers > feel good, they don't have load, the redundant master-slave database > servers feel good, they dont have high load. So everything seems > fine, except the connect time. (Our checker script asks only a HEAD > request from the web servers) Have you adjusted the TCP timeout parameters? this can be caused by the standard 30sec timeouts and your state table is getting filled up. I'd check the following parameters: - timeout tcp.{closing,finwait,closed} - interval - limit states pftop can be a great help for checking pf's behaviour, it's available in ports. > > The internal network has Gbit connection so as the internet side. > > Do you have any advice? Is it time to get a Layer 7 switch and do > load balancing with it? Or is it possible to do it in a PF way > without a Content Switch? > > 2 web servers and 2 database servers are involved. > > [web 1] ---| > [web 2] ---| > [db 1] ---|---[pf/web 3/default gw]---internet > [db 2] ---| > > > For a while the web server on the PF server is down to test, but it > does the same connection time with a running apache and without a > running apache. > > Any idea? Our internet traffic average is 100Mbit-130Mbit and the > connect time makes me so sad. > > Thanks in advance, > -- Sincerely, Gergely CZUCZY Harmless Digital Bt +36-30-9702963 From owner-freebsd-pf@FreeBSD.ORG Thu Dec 3 11:19:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B25881065670 for ; Thu, 3 Dec 2009 11:19:44 +0000 (UTC) (envelope-from wooh@wooh.hu) Received: from mail.netidea.hu (netwarehouse.netidea.hu [195.228.254.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6CDD18FC13 for ; Thu, 3 Dec 2009 11:19:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netidea.hu (Postfix) with ESMTP id 9B7161283D5 for ; Thu, 3 Dec 2009 12:15:09 +0100 (CET) X-Virus-Scanned: amavisd-new at netidea.hu Received: from mail.netidea.hu ([127.0.0.1]) by localhost (mail.netidea.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdWK72k5JHUJ for ; Thu, 3 Dec 2009 12:15:06 +0100 (CET) Received: from [192.168.0.100] (catv-89-134-206-111.catv.broadband.hu [89.134.206.111]) by mail.netidea.hu (Postfix) with ESMTP id DAACC1283CE for ; Thu, 3 Dec 2009 12:15:05 +0100 (CET) Message-ID: <4B179ECE.6060208@wooh.hu> Date: Thu, 03 Dec 2009 12:19:42 +0100 From: Adam PAPAI User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4B177491.30402@wooh.hu> <20091203101327.00004dac@unknown> In-Reply-To: <20091203101327.00004dac@unknown> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PF + load balancing over 100Mbit traffic [SOLVED] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 11:19:44 -0000 Gergely CZUCZY wrote: > On Thu, 03 Dec 2009 09:19:29 +0100 > Adam PAPAI wrote: > >> Dear List, >> >> I have a feeling that PF can't do perfect round-robin load balancing >> over 100Mbit. >> >> When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network >> traffic goes over 100Mbit, the 80 port's connect time increases to >> 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers >> feel good, they don't have load, the redundant master-slave database >> servers feel good, they dont have high load. So everything seems >> fine, except the connect time. (Our checker script asks only a HEAD >> request from the web servers) > Have you adjusted the TCP timeout parameters? this can be caused by the > standard 30sec timeouts and your state table is getting filled up. I'd > check the following parameters: > - timeout tcp.{closing,finwait,closed} > - interval > - limit states > Thanks, I really had to change the pf.conf and set the values below. set limit states 40000 set timeout interval 5 In the future i should increase the limit states and reduce the timeout interval :) Since i've changed the values, the connection time is between 0.001 and 0.004, the traffic is over than 110Mbit. \o/ Have a nice day :) -- Adam PAPAI NETIDEA Informatikai Szolgaltato Kft. http://www.netidea.hu E-mail: wooh@wooh.hu From owner-freebsd-pf@FreeBSD.ORG Fri Dec 4 09:42:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22501106566C for ; Fri, 4 Dec 2009 09:42:30 +0000 (UTC) (envelope-from voovoos-fpf@killfile.pl) Received: from mailhub.media4u.pl (mailhub.media4u.pl [194.79.24.10]) by mx1.freebsd.org (Postfix) with ESMTP id D0A888FC0C for ; Fri, 4 Dec 2009 09:42:29 +0000 (UTC) Received: from mail.media4u.pl ([194.79.24.11]:50460) by mailhub.media4u.pl with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NGUgG-0004Zx-8I for freebsd-pf@freebsd.org; Fri, 04 Dec 2009 10:42:28 +0100 Received: from gw.media4u.net.pl ([194.79.25.15]:63792 helo=[192.168.9.33]) by mail.media4u.pl with esmtpa (Exim 4.63) (envelope-from ) id 1NGUgC-0000ZS-BY for freebsd-pf@freebsd.org; Fri, 04 Dec 2009 10:42:24 +0100 Message-ID: <4B18D976.3070203@killfile.pl> Date: Fri, 04 Dec 2009 10:42:14 +0100 From: Maciej Wierzbicki Organization: =?UTF-8?B?xbt5amVteSB3IEtyYWp1IEN1ZG93bnljaCBNZXRhZm9y?= User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4B177491.30402@wooh.hu> In-Reply-To: <4B177491.30402@wooh.hu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PF + load balancing over 100Mbit traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 09:42:30 -0000 Adam PAPAI wrote on 2009-12-03 09:19: > Do you have any advice? Is it time to get a Layer 7 switch and do load > balancing with it? Or is it possible to do it in a PF way without a > Content Switch? My advice is to use content switching via some 3rd-party software, for example HAProxy - perfect tool for rr/lb. I have webclusters set up this way, some of them handle even 200-250Mbps in peak. No problems. If you need any additional info, let me know. -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE * From owner-freebsd-pf@FreeBSD.ORG Sat Dec 5 14:09:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C59881065670 for ; Sat, 5 Dec 2009 14:09:59 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id BDD178FC13 for ; Sat, 5 Dec 2009 14:09:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 8E5DC478182 for ; Sat, 5 Dec 2009 15:09:57 +0100 (CET) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id so0nmVQJFUv8 for ; Sat, 5 Dec 2009 15:09:52 +0100 (CET) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 8DFC2478034 for ; Sat, 5 Dec 2009 15:09:52 +0100 (CET) Date: Sat, 5 Dec 2009 15:09:52 +0100 (CET) From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Message-ID: <6783768.102251260022192330.JavaMail.root@zimbra-store> MIME-Version: 1.0 X-Originating-IP: [213.118.154.118] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - FF3.0 (Linux)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Limit connections doens't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2009 14:09:59 -0000 Hello, As most of the public ip's my servers are constantly under bruteforce attack see example: Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226 Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2 Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226 Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2 Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226 Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2 Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226 Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2 Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2 Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2 Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226 Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2 Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226 Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2 Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226 Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2 Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226 Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2 Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2 Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2 Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2 Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. ------------------------------------------------------------------------------------------------------------------ #Tables table persist file "/etc/pf.abusive_ips.block.list" table persist # Rules block quick from block quick from # Limit connections per IP pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) -------------------------------------------------------------------------------------------------------------------- The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the table. Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? With kind regards, Nico De Dobbeleer