From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 18:46:50 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D9DD16A401 for ; Mon, 26 Feb 2007 18:46:50 +0000 (UTC) (envelope-from Jacques.Beigbeder@ens.fr) Received: from nef2.ens.fr (nef2.ens.fr [129.199.96.40]) by mx1.freebsd.org (Postfix) with ESMTP id D9FC913C47E for ; Mon, 26 Feb 2007 18:46:49 +0000 (UTC) (envelope-from Jacques.Beigbeder@ens.fr) Received: from trefle.ens.fr (trefle.ens.fr [129.199.96.17]) by nef2.ens.fr (8.13.6/1.01.28121999) with ESMTP id l1QIIqPS080812 for ; Mon, 26 Feb 2007 19:18:52 +0100 (CET) Received: from (beig@localhost) by trefle.ens.fr (8.12.3/jb-1.1) X-Envelope-To: freebsd-questions@freebsd.org X-Authentication-Warning: trefle.ens.fr: beig set sender to Jacques.Beigbeder@ens.fr using -f Date: Mon, 26 Feb 2007 19:18:52 +0100 From: Jacques Beigbeder To: freebsd-questions@freebsd.org Message-ID: <20070226181852.GA853@trefle.ens.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.5.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.1.4 (nef2.ens.fr [129.199.96.32]); Mon, 26 Feb 2007 19:18:53 +0100 (CET) Subject: DNS and mail servers behind a PF firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 18:46:50 -0000 Hello, My question is related to PF performances with large state tables. FreeBSD : 5.5 hw.model: Intel(R) Xeon(TM) CPU 3.20GHz hw.physmem: 2138378240 = 2 Gb If I put a mail server 20 SMTP hits per second (thanks to spam...) 15 seconds per SMTP dialog 90 seconds for PF timeout tcp.close the state table will have: 20 * (90 + 15) * 2 ways = 5.000 entries Since any mail generates a few DNS queries (reverse DNS, + DSNRBL queries), the state table will also gets 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) = 12.000 entries So I'll get around 20.000 entries, each of them have a short lifetime. Question: . is such a number a performance problem? It seems strange to constantly add and delete entries for DNS requests in the state table? . or do I have to write rules to avoid all the (unnecessary??) entries? As far as I understand, beginning with pass in quick proto udp from a.b.c.d port 53 to any ... same for TCP/25 ... is the trick. Thanks, -- Jacques Beigbeder | Jacques.Beigbeder@ens.fr Service de Prestations Informatiques | http://www.spi.ens.fr Ecole normale supérieure | 45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96 F75230 Paris cedex 05 |Fax : (+33 1)1 44 32 20 75