Date: Mon, 23 Aug 2010 11:08:33 -0400 From: Dan Pritts <danno@umich.edu> To: Patrick Mahan <PMahan@adaranet.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF newbie questions Message-ID: <20100823150831.GB10713@maniac.deathstar.org> In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com> References: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 19, 2010 at 05:44:26PM -0700, Patrick Mahan wrote: > I am just a little concern over the potential for impact to the > throughput by the re-assembling of an IP packet from its fragments > However, it seems to me that limiting it to 0 is a bit drastic. Shouldn't > it be something like 4-8 packet limit? hi Patrick - My slightly-educated guess is that you are right to have performance concerns. pf comes from openbsd. relatively speaking, openbsd doesn't care about performance; they care about security and correctness. They are the same folks behind openssh, and they have refused requests to merge patches that *drastically* improve openssh transfer speeds over WANs: http://www.psc.edu/networking/projects/hpn-ssh/ http://www.psc.edu/networking/projects/hpn-ssh/faq.php (near bottom) Also, note the example configurations in the pf faq: http://www.openbsd.org/faq/pf/queueing.html basically, home users and companies with T1 lines. how easily the issues you note can be dealt with without affecting security I do not know. Surely, it would be much more complex to do effective firewall filters of IP fragments than it is to use the current approach. As a practical concern for that one, I don't know what your product does, but do you really expect to transfer many fragmented packets? I'd also note that the current freebsd pf code is based on an old snapshot from openbsd. depending on your product plans you might want to wait/join the effort to merge a newer version; there has been some discussion on this list. if you are just looking for queueing, I assume you also know about ipfw DUMMYNET; if not check it out. danno -- dan pritts ann arbor, mi, us
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100823150831.GB10713>