From owner-freebsd-stable@FreeBSD.ORG Tue Jul 6 17:42:00 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8F53106564A for ; Tue, 6 Jul 2010 17:42:00 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) by mx1.freebsd.org (Postfix) with ESMTP id 675638FC16 for ; Tue, 6 Jul 2010 17:41:56 +0000 (UTC) Received: from slackbox.erewhon.net (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr2.xs4all.nl (8.13.8/8.13.8) with ESMTP id o66Hftov068747; Tue, 6 Jul 2010 19:41:55 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.net (Postfix, from userid 1001) id 7DC6DBAB9; Tue, 6 Jul 2010 19:41:55 +0200 (CEST) Date: Tue, 6 Jul 2010 19:41:55 +0200 From: Roland Smith To: David Warren Message-ID: <20100706174155.GA56410@slackbox.erewhon.net> References: <20100705055105.GA21681@icarus.home.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-stable@freebsd.org Subject: Re: 8.0 network problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2010 17:42:00 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote: > Hi again, >=20 > Disabling pf definitely makes samba file transfers move faster (the > speed varies quite a bit, but everything's faster than the single kilobyt= es > per second I was seeing previously), but I'm perplexed about what's causi= ng > the slowdown. There's certainly some cruft in my pf.conf (below), but I'm > not sure what might be strangling my LAN. Can anyone set me straight? In general, check which rules are matched most with 'pfctl -vvs rules|less'. Put the rules that are matched most first in the ruleset, adding the 'quick' keyword where possible. There is a FAQ on the OpenBSD site about pf, but it pertains to a newer version than is available in FreeBSD! > /etc/pf.conf: > # macros > int_if =3D "em0" > wifi_if =3D "wlan0" > ext_if =3D "nfe0" >=20 > nat_opt =3D "192.168.0.5" # Windows box > nat_cu =3D "192.168.0.1" # server >=20 > tcp_services =3D "{ 22 }" > icmp_types =3D "echoreq" =20 > priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" You might want to replace this by a table. It's supposed to be faster; table const { 127/8, 192.168/16, 172.16/12, 10/8 } > # options You could try and use ruleset optimization; set ruleset=E2=80=90optimization profile > set block-policy return > set loginterface $ext_if > set skip on lo >=20 > # scrub > scrub in >=20 > # nat/rdr > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat on $ext_if from $wifi_if:network to any -> ($ext_if) > rdr on $ext_if proto tcp from any to any port 22 -> $nat_cu > rdr on $ext_if proto tcp from any to any port 6881:6999 -> $nat_opt > rdr on $ext_if proto tcp from any to any port 34567:34575 -> $nat_cu > rdr on $ext_if proto tcp from any to any port 993 -> $nat_opt >=20 > # filter rules > block in log Try block in log label "inblock" Adding labels to your rules aids you in determining which ones are matched, with 'pfctl -vvs labels' > pass out keep state I think keeping state is the default now. > antispoof quick for { lo $int_if } >=20 > pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services > flags S/SA keep state >=20 > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets Use table syntax in combination with the table defined above; block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to > pass in inet proto icmp all icmp-type $icmp_types keep state You might want to think about added the "quick" keyword to the following fo= ur rules. > pass in on $ext_if inet proto tcp from any to $nat_cu port $tcp_services > flags S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_cu port 34567:34575 fl= ags > S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_opt port 6881:6999 fla= gs > S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_opt port 993 flags S/SA > synproxy state If you have a lot of traffic on the following two rules, put them at the to= p of the filter rules. Then they will be evaluated first and not the rest of the rules. You might also consider adding them to 'set skip'. > pass in quick on $int_if > pass in quick on $wifi_if Enlarging the buffer sizes for the BPF device might help as well; sysctl net.bpf.bufsize=3D65536 sysctl net.bpf.maxbufsize=3D524288 Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iEYEARECAAYFAkwzauMACgkQEnfvsMMhpyX/egCfdUO+ANCCNLOi7wjL6ePXYPut Pr4AnixsDHlBDacrcxL2tCc142hwRcLZ =XxsZ -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--