From owner-freebsd-questions@FreeBSD.ORG Tue Jul 3 21:03:10 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C9C0E16A468 for ; Tue, 3 Jul 2007 21:03:10 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 8B8C013C4B7 for ; Tue, 3 Jul 2007 21:03:10 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so3942380pyb for ; Tue, 03 Jul 2007 14:03:10 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aTWV1CP1DGsmLApdb3HFjt4tWs0VYOyVGpUpTpUh239GRL23abC1n0F6CmqPVL4sXkAu5gzhUwXRtwoQPae+M6b8Jw4Qdf8LcRsrZLrv3FJgP5J78yT4qUpU4gVUkx2fx/Bn1ZJVUeNVeK1q0vJg7ShfiCQh38VTpj/RrzloSqY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=L9bEc0svOXZ/CpK/gV1Oy/hw9D2Sd3V7Jjxih6LmvUz8YwqJT/uTraNNQUapPyPKcXaKQFxHL1WDOSRqU4dcLrDE6UC897dr9ENd2xxR6RgzGwU9pkpkUGBO5NQFY41mZn/e0Kz4cwJO00lWHstcQVX4yzFPGiL2EsI2D5kqfxE= Received: by 10.78.132.2 with SMTP id f2mr3793077hud.1183494839985; Tue, 03 Jul 2007 13:33:59 -0700 (PDT) Received: by 10.78.200.15 with HTTP; Tue, 3 Jul 2007 13:33:59 -0700 (PDT) Message-ID: <810a540e0707031333m1f3ca4d9l64e813c069af7aef@mail.gmail.com> Date: Tue, 3 Jul 2007 14:33:59 -0600 From: "Pat Maddox" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Losing connections/performance with PF turned on X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 21:03:10 -0000 We're doing some stress testing on our server, and noticed that when we turn PF on, we lose connections and have a drastic reduction in performance. We used SIEGE for 120 seconds, 50 connections, on req/conn Firewall On: Num Users: 50 Availability: 97.23 % Transaction rate: 58.02 trans/sec Concurrency: 3.80 Successful: 6994 Failed: 198 Longest Req: 9.06s Firewall Off: Num Users: 50 Availability: 100 % Transaction rate: 94.62 trans/sec Concurrency: 1.76 Successful: 11342 Failed: 0 Longest Req: 0.51s You'll notice that with the firewall off, we don't lose any connections. We also have a 60% increase in tx/sec, and the longest request takes 1/20 of the time. I've included my complete pf.conf file, hopefully something will jump out at someone. Thanks, Pat # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF="em0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ http, 8080, nrpe }" #UDP_IN = "{ }" SSH_IN = "{ xxx.xxx.xxx.xxx }" # --- allowed services initiated by server TCP_OUT = "{ ssh, smtp, domain, ntp, 3690, 2222, http, ftp, 29125 }" UDP_OUT = "{ domain, ntp }" ORIGINS = "{ xxx.xxx.xxx.xxx }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF set block-policy return # --------- TRAFFIC NORMALIZATION ---------------- scrub in all antispoof for $EXT_IF # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # --- BRUTE FORCE TABLE table persist block quick from # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # Allow postgres connection from db server pass in quick on $EXT_IF inet proto tcp from xxx.xxx.xxx.xxx to $EXT_IF port 5432 flags S/SA keep state # --- SSH with brute force blocking pass in quick on $EXT_IF inet proto { tcp, udp } from any to $SSH_IN port ssh flags S/SA keep state (max-src-conn 25, max-src-conn-rate 5/3, overload flush global) # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # Allow postgres connection to db server pass out quick on $EXT_IF inet proto tcp from $EXT_IF to xxx.xxx.xxx.xxx port 5432 flags S/SA keep state # Allow any connection to uploaders pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $ORIGINS flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf