From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 15:25:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38683106564A for ; Mon, 23 Aug 2010 15:25:04 +0000 (UTC) (envelope-from danno@deathstar.org) Received: from mail.deathstar.org (maniac.deathstar.org [204.42.254.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1B2338FC1C for ; Mon, 23 Aug 2010 15:25:03 +0000 (UTC) Received: by mail.deathstar.org (Mail Transport, from userid 23454) id 1F54E661B9A7; Mon, 23 Aug 2010 11:08:33 -0400 (EDT) Date: Mon, 23 Aug 2010 11:08:33 -0400 From: Dan Pritts To: Patrick Mahan Message-ID: <20100823150831.GB10713@maniac.deathstar.org> References: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C875098@SJ-EXCH-1.adaranet.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-pf@freebsd.org Subject: Re: PF newbie questions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 15:25:04 -0000 On Thu, Aug 19, 2010 at 05:44:26PM -0700, Patrick Mahan wrote: > I am just a little concern over the potential for impact to the > throughput by the re-assembling of an IP packet from its fragments > However, it seems to me that limiting it to 0 is a bit drastic. Shouldn't > it be something like 4-8 packet limit? hi Patrick - My slightly-educated guess is that you are right to have performance concerns. pf comes from openbsd. relatively speaking, openbsd doesn't care about performance; they care about security and correctness. They are the same folks behind openssh, and they have refused requests to merge patches that *drastically* improve openssh transfer speeds over WANs: http://www.psc.edu/networking/projects/hpn-ssh/ http://www.psc.edu/networking/projects/hpn-ssh/faq.php (near bottom) Also, note the example configurations in the pf faq: http://www.openbsd.org/faq/pf/queueing.html basically, home users and companies with T1 lines. how easily the issues you note can be dealt with without affecting security I do not know. Surely, it would be much more complex to do effective firewall filters of IP fragments than it is to use the current approach. As a practical concern for that one, I don't know what your product does, but do you really expect to transfer many fragmented packets? I'd also note that the current freebsd pf code is based on an old snapshot from openbsd. depending on your product plans you might want to wait/join the effort to merge a newer version; there has been some discussion on this list. if you are just looking for queueing, I assume you also know about ipfw DUMMYNET; if not check it out. danno -- dan pritts ann arbor, mi, us