From owner-freebsd-pf@FreeBSD.ORG Fri Nov 9 05:54:27 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 51E43B3D; Fri, 9 Nov 2012 05:54:27 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id BA63A8FC12; Fri, 9 Nov 2012 05:54:26 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id qA95sI86007475; Fri, 9 Nov 2012 09:54:18 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id qA95sIbZ007474; Fri, 9 Nov 2012 09:54:18 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 9 Nov 2012 09:54:18 +0400 From: Gleb Smirnoff To: "Anders N." Subject: Re: pf synproxy slowdown Message-ID: <20121109055418.GU84182@FreeBSD.org> References: <20121109054016.GA76137@baot.se> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20121109054016.GA76137@baot.se> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-questions@FreeBSD.org, freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2012 05:54:27 -0000 On Fri, Nov 09, 2012 at 05:40:16AM +0000, Anders N. wrote: A> Hi. I've got a server running pf that has been displaying some odd (at least to me) behavior. A> A> I use the "synproxy state"[1] option quite a few times in my config without any ill effects that I've noticed until now. I realized it was on every open port except for ssh, so I added it to my ssh line: A> A> pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state A> A> After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th the speed I usually do from the server with it enabled there. Remove it, speed goes back to normal. I'm using synproxy state with some other other services that send large amounts of data very quickly (http, torrents, etc) and none of them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's the rest of my pf.conf, if it matters: This is because synproxy module doesn't know which TCP extensions does the backend TCP stack supports, thus announces none to the remote peer. Connection created via synproxy rule will not support neither window scaling, nor SACK, nor timestamps. Obviously, this results in bad performance. -- Totus tuus, Glebius.