From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 15:52:28 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34D3016A402 for ; Thu, 22 Feb 2007 15:52:28 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by mx1.freebsd.org (Postfix) with ESMTP id 0D44913C4A3 for ; Thu, 22 Feb 2007 15:52:27 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from gumby.homeunix.com (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 8EF5C5190F for ; Thu, 22 Feb 2007 10:52:26 -0500 (EST) Date: Thu, 22 Feb 2007 15:52:23 +0000 From: RW To: freebsd-questions@freebsd.org Message-ID: <20070222155223.0dd15975@gumby.homeunix.com> In-Reply-To: <20070222150418.GA3298@kobe.laptop> References: <200702202021.55723.pablo.fernandez@rs.com.ar> <19861fba0702211038p3144271ey1e30cf67311678ef@mail.gmail.com> <20070222143030.0b858e86@gumby.homeunix.com> <20070222150418.GA3298@kobe.laptop> X-Mailer: Claws Mail 2.7.2 (GTK+ 2.10.9; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: PF slowing down file copies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 15:52:28 -0000 On Thu, 22 Feb 2007 17:04:18 +0200 Giorgos Keramidas wrote: > On 2007-02-22 14:30, RW wrote: > >On Wed, 21 Feb 2007 19:38:39 +0100 > >J65nko wrote: > >> For keeping state on TCP connections you should only create state > >> on the first packet of the 3 way TCP handshake. Using "flags S/SA" > >> will ensure this. This will prevent problems with TCP windows > >> scaling.. > > > > Why? Creating a state entry causes subsequent packets, in the same > > tcp connection, to bypass the rules altogether. > > Because a state entry is a rule by itself. A special 'rule', but > still a rule. As such, each state-table entry requires a finite > amount of resources. Conserving resources, whenever possible, is a > good idea. > > Creating 10 packets for a connection whose 'traffic' requires 10 TCP > segments to be transmitted, and 9000 state entries for a TCP > connection whose data payload needs 9000 segments to be transmitted > is kind of silly. Especially since it is entirely legal and easy to > do the same thing with only 2 state entries (one for each connection). > The way PF works is that it first checks if there is a state entry matching the packet's address, port and protocol , if there is the state entry is used to determine what is done with the packet. Only if there is no matching entry is the script used instead. As I already said "Creating a state entry causes subsequent packets, in the same tcp connection, to bypass the rules altogether". The point of testing for s/sa is to avoid creating long-lived state entries for illegal or out-of-sequence packets. The state created by s/sa has a very short lifetime. This conserves resources and protects against some DOS attacks.