From owner-freebsd-pf@FreeBSD.ORG Fri Nov 9 05:43:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02A0A8A7 for ; Fri, 9 Nov 2012 05:43:58 +0000 (UTC) (envelope-from wicked@baot.se) Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 81B5F8FC0C for ; Fri, 9 Nov 2012 05:43:57 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id fm10so221649wgb.1 for ; Thu, 08 Nov 2012 21:43:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent:x-gm-message-state; bh=5L9J0IQEdaGOxk3UFQbo0ZPfMcvQ0WW0+i9fnMgvoH0=; b=HJ2G8+GPOougBGxb7L6HSswGiaSWLTW5ToAkYt3av9e7tLIjoYdIJ1xNS5awbPM82Z m0071b6KIO/6FRvNrAIXZxEyw6hAFuiCFGCduLzSU3+U9ZBF+ugg9vE/0V6k9XZz3NiK icOJnr6AMbm4qga/WYz62oHEC1L7WW2CT703CePM4UYd5bIT5tg4aKWjbiitLefvkFoU Wa28+gPUNLGH8mn2pLV4KdzLWuGaQrkAQH7i+UKH2mOh2cUrbSqPOe+KOtXdjXGbmCnn SUdjq3f6N6Hvbec0ouBH5i41f/Y4Tsckn4OQeEmV/8TjtExh1WGQ/12ATtVf4LVQODX5 Yt5w== Received: by 10.216.226.98 with SMTP id a76mr4587036weq.5.1352439830243; Thu, 08 Nov 2012 21:43:50 -0800 (PST) Received: from baot.se (baot.se. [82.192.84.2]) by mx.google.com with ESMTPS id ey2sm783497wib.9.2012.11.08.21.43.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Nov 2012 21:43:49 -0800 (PST) Received: by baot.se (sSMTP sendmail emulation); Fri, 09 Nov 2012 05:40:16 +0000 Date: Fri, 9 Nov 2012 05:40:16 +0000 From: "Anders N." To: freebsd-pf@freebsd.org Subject: pf synproxy slowdown Message-ID: <20121109054016.GA76137@baot.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Gm-Message-State: ALoCoQl7r49bQGtTWLrkiJVkEJ1gPJEOBJdghgcUSwswOCtn86LL9rtleqxb8LShb0WWoXAseY8J Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2012 05:43:58 -0000 Hi. I've got a server running pf that has been displaying some odd (at least to me) behavior. I use the "synproxy state"[1] option quite a few times in my config without any ill effects that I've noticed until now. I realized it was on every open port except for ssh, so I added it to my ssh line: pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th the speed I usually do from the server with it enabled there. Remove it, speed goes back to normal. I'm using synproxy state with some other other services that send large amounts of data very quickly (http, torrents, etc) and none of them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's the rest of my pf.conf, if it matters: ext_if = "bge0" set block-policy drop scrub in all block in all block in quick on $ext_if from any to 255.255.255.255 pass out on $ext_if from any to any pass out keep state set skip on lo0 block in quick from urpf-failed antispoof quick for $ext_if block in from no-route to any block drop in log (all) quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 } to any block drop out log (all) quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 } block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state pass in on $ext_if proto tcp from any to $IP port 80 flags S/SA synproxy state pass in on $ext_if proto tcp from any to $IP port 9999 flags S/SA synproxy state I'm not on the list, so please CC me if it's not too much trouble. [1] http://www.openbsd.org/faq/pf/filter.html