From owner-freebsd-net@FreeBSD.ORG Fri Apr 26 17:50:03 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 36B8979B for ; Fri, 26 Apr 2013 17:50:03 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-bk0-x230.google.com (mail-bk0-x230.google.com [IPv6:2a00:1450:4008:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id BF71215C0 for ; Fri, 26 Apr 2013 17:50:02 +0000 (UTC) Received: by mail-bk0-f48.google.com with SMTP id it19so593898bkc.21 for ; Fri, 26 Apr 2013 10:50:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=n5WSIHshJSCB6rg6q/LqQ/nc0tzhkDJtBXnAuf8VFRU=; b=a1DaZiM7DnlmfylZehm5SyP9VOJ4U2pTHqVv1fDcbIhT+E4cbaT4I/iGHF+8hrhFnZ T4a7ScCinlJ9Ey3+NkRep2x/TUX5SoRXoze/kZ3A6gV85u51kXfdEoZVAM+HTkJvmcSZ uTfApsDeNALP9phzWKn+fkU0fBUsh/MG9zk6713/WqaxPqioAdHAmY8NRnOG1vQtODgN jvA1pGE9UdHusuyBlJLQ9l+ejWQxjsjuGJpS95FsdH08pCHOKnepsDI+X2uH1yIk4umH GXH5ZgBVY5XSToOCzH2Bxvw4vYHiDpX7/q/ir+lds32FdQwgMSqf/7iDCqsZ0PODZ9Pz wMGw== X-Received: by 10.204.226.80 with SMTP id iv16mr10451399bkb.48.1366998600863; Fri, 26 Apr 2013 10:50:00 -0700 (PDT) Received: from zvezda.localnet ([2a02:8108:1440:5b:2677:3ff:fe7b:7648]) by mx.google.com with ESMTPSA id w6sm3680999bkz.17.2013.04.26.10.49.59 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 26 Apr 2013 10:50:00 -0700 (PDT) From: Kajetan Staszkiewicz To: Erich Weiler Subject: Re: pf performance? Date: Fri, 26 Apr 2013 19:49:59 +0200 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <5176E5C1.9090601@soe.ucsc.edu> <201304260021.11209.vegeta@tuxpowered.net> <5179B3BB.3070101@soe.ucsc.edu> In-Reply-To: <5179B3BB.3070101@soe.ucsc.edu> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201304261949.59317.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQnYRRfcJm/pQUdInPSHho1anB+y/RvaBZy1ShIi1TByQ0PXwvlYfsFHxcuhlcolttQp0z0g Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 17:50:03 -0000 Dnia pi=C4=85tek, 26 kwietnia 2013 o 00:52:43 Erich Weiler napisa=C5=82(a): > > How many pf rules do you have?. And, as I asked in my previous post, do > > you create states on both sides of the firewall? >=20 > One interface has 12 rules and other other interface has one rule. We > do create states on both sides. That's not too many rules, but are you sure you also create states for=20 "postrouting" traffic? When you do "pass (quick) in on $public some other=20 conditions", you also should have a general "pass quick out on $internal" (= and=20 vice versa), as close to the top of pf.conf, of course unless you need sepa= rate=20 pre and post routing pf filtering rules. =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'