Date: Tue, 6 Jul 2010 19:41:55 +0200 From: Roland Smith <rsmith@xs4all.nl> To: David Warren <davideugenewarren@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: 8.0 network problem Message-ID: <20100706174155.GA56410@slackbox.erewhon.net> In-Reply-To: <AANLkTinDRYNiCef9V_qRv5Ge2DotVjQep6M3guUwx35E@mail.gmail.com> References: <AANLkTin4l7-UzDQW04voF6Lf-vMaHhCrvXP39GGsmgKG@mail.gmail.com> <20100705055105.GA21681@icarus.home.lan> <AANLkTim5X6YSsbU-HFiUy6PPG_bf0_Hymd7q7ozOsHaD@mail.gmail.com> <AANLkTinDRYNiCef9V_qRv5Ge2DotVjQep6M3guUwx35E@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote:
> Hi again,
>=20
> Disabling pf definitely makes samba file transfers move faster (the
> speed varies quite a bit, but everything's faster than the single kilobyt=
es
> per second I was seeing previously), but I'm perplexed about what's causi=
ng
> the slowdown. There's certainly some cruft in my pf.conf (below), but I'm
> not sure what might be strangling my LAN. Can anyone set me straight?
In general, check which rules are matched most with 'pfctl -vvs rules|less'.
Put the rules that are matched most first in the ruleset, adding the 'quick'
keyword where possible.
There is a FAQ on the OpenBSD site about pf, but it pertains to a newer
version than is available in FreeBSD!
> /etc/pf.conf:
> # macros
> int_if =3D "em0"
> wifi_if =3D "wlan0"
> ext_if =3D "nfe0"
>=20
> nat_opt =3D "192.168.0.5" # Windows box
> nat_cu =3D "192.168.0.1" # server
>=20
> tcp_services =3D "{ 22 }"
> icmp_types =3D "echoreq"
=20
> priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
You might want to replace this by a table. It's supposed to be faster;
table <priv_nets> const { 127/8, 192.168/16, 172.16/12, 10/8 }
> # options
You could try and use ruleset optimization;
set ruleset=E2=80=90optimization profile
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>=20
> # scrub
> scrub in
>=20
> # nat/rdr
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat on $ext_if from $wifi_if:network to any -> ($ext_if)
> rdr on $ext_if proto tcp from any to any port 22 -> $nat_cu
> rdr on $ext_if proto tcp from any to any port 6881:6999 -> $nat_opt
> rdr on $ext_if proto tcp from any to any port 34567:34575 -> $nat_cu
> rdr on $ext_if proto tcp from any to any port 993 -> $nat_opt
>=20
> # filter rules
> block in log
Try
block in log label "inblock"
Adding labels to your rules aids you in determining which ones are matched,
with 'pfctl -vvs labels'
> pass out keep state
I think keeping state is the default now.
> antispoof quick for { lo $int_if }
>=20
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
> flags S/SA keep state
>=20
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
Use table syntax in combination with the table defined above;
block drop in quick on $ext_if from <priv_nets>to any
block drop out quick on $ext_if from any to <priv_nets>
> pass in inet proto icmp all icmp-type $icmp_types keep state
You might want to think about added the "quick" keyword to the following fo=
ur rules.
> pass in on $ext_if inet proto tcp from any to $nat_cu port $tcp_services
> flags S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_cu port 34567:34575 fl=
ags
> S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_opt port 6881:6999 fla=
gs
> S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_opt port 993 flags S/SA
> synproxy state
If you have a lot of traffic on the following two rules, put them at the to=
p of the filter
rules. Then they will be evaluated first and not the rest of the rules. You
might also consider adding them to 'set skip'.
> pass in quick on $int_if
> pass in quick on $wifi_if
Enlarging the buffer sizes for the BPF device might help as well;
sysctl net.bpf.bufsize=3D65536
sysctl net.bpf.maxbufsize=3D524288
Roland
--=20
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (FreeBSD)
iEYEARECAAYFAkwzauMACgkQEnfvsMMhpyX/egCfdUO+ANCCNLOi7wjL6ePXYPut
Pr4AnixsDHlBDacrcxL2tCc142hwRcLZ
=XxsZ
-----END PGP SIGNATURE-----
--3V7upXqbjpZ4EhLz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100706174155.GA56410>