From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 20:06:26 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECE782FE for ; Sun, 22 Dec 2013 20:06:26 +0000 (UTC) Received: from frv191.fwdcdn.com (frv191.fwdcdn.com [212.42.77.191]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A4599156E for ; Sun, 22 Dec 2013 20:06:26 +0000 (UTC) Received: from [10.10.2.23] (helo=frv198.fwdcdn.com) by frv191.fwdcdn.com with esmtp ID 1Vup2u-000DGC-Iz for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 21:50:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=orOquWtgTT5bRBoDwAe7foWgqGHwPiHjPyOUYXoMhVY=; b=JligsQkmQeTNaiw6PnzWN/MOAqBXrGfplpZYmHBCGUJ85CoBXiAQcKrsGW4CDwJtPd9t/Iy/Pn6mrg8OyCOgUx29t938TolKKe5waOV5IQFraK8M9zQh3npyQZcaeNuY99xVAURkxOwmZgagLHHFeuuNyXerK2s5KfDiT6oPrn0=; Received: from [10.10.10.34] (helo=frv34.ukr.net) by frv198.fwdcdn.com with smtp ID 1Vup2k-000DA2-RM for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 21:50:30 +0200 Date: Sun, 22 Dec 2013 21:50:30 +0200 From: wishmaster Subject: Re: Network severely unstable 10.0-PRERELEASE To: Berend de Boer X-Mailer: mail.ukr.net 5.0 Message-Id: <1387740798.766930858.eawg47i5@frv34.ukr.net> In-Reply-To: <87sitku33x.wl%berend@pobox.com> References: <87sitku33x.wl%berend@pobox.com> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.ukr.net; Sun, 22 Dec 2013 21:50:30 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 20:06:27 -0000 --- Original message --- From: "Berend de Boer" Date: 22 December 2013, 20:56:35 > Hi All, > > pf has not worked well for me after version 8. Certain rules crash the > kernel > (http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/182141). Avoiding > these rules gave me something that at least kept the system alive on a > 10-CURRENT. > > But since the RC versions my system stays up for only a few days, > before I need a reboot as network connectivity gets reset. > > It's the modem (pppoe), every few minutes all tcp (?) connections get > dropped somehow. A reboot fixes it for a week or so. > > I have no clue how to debug this. > > But I'm getting pretty scared of pf, and going back to ipfw might seem > best. > > What are people's thoughts on pf in FreeBSD, does it have a future? > Are there people working on pf? Should I simply forget about it, and > go back to ipfw? > It's just my IMHO and experience. Pf in 10 is good, especially in performance context (thx glebius@) but, unfortunately, yes you should forgot about pf if you are planning to use not only firewalling but shaper/prioritization too due to poor performance/flexibility of ALTQ, especially in case of complex network topologies. Or you can use OpenBSD with new "prio" queueing mechanism Cheers, w