Date: Fri, 31 Mar 2006 08:57:54 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Christopher McGee'" <chris@xecu.net>, <freebsd-pf@freebsd.org> Subject: RE: Traffic mysteriously dropping Message-ID: <000401c65498$d14b8f30$0a00a8c0@thebeast> In-Reply-To: <442CD97B.2050103@xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > These 2 problems, are making pf, virtually unusable for our > firewall needs. Hopefully there is a fix for them. > Have you tried to ifconfig polling for all the em interfaces ? I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 * bge & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it. That's with ALTQ compiled in but not used in the policy at present. Unless you are using synproxy I would suggest getting rid of set state-policy if-bound and stick with the default of floating. Are all your stateful tcp rules using flags S/SA to establish state ? Are you running out of state table entries ? The default is 10k, tracking it with pfctl -si will tell you. With nearly 400 firewall rules, I would suggest that there's scope for reviewing order and the judicious use of quick to trim the policy into something more manageable. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c65498$d14b8f30$0a00a8c0>