From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 20:52:44 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3760F16A402 for ; Mon, 26 Feb 2007 20:52:44 +0000 (UTC) (envelope-from j65nko@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.226]) by mx1.freebsd.org (Postfix) with ESMTP id EAB0A13C4B2 for ; Mon, 26 Feb 2007 20:52:43 +0000 (UTC) (envelope-from j65nko@gmail.com) Received: by nz-out-0506.google.com with SMTP id r28so492980nza for ; Mon, 26 Feb 2007 12:52:43 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=B0ohTh+i3dNVHPhm65PyNUjv3c5gkILKltshrb8O7v6AiUNn/aptUjZCjqyAOSr1XxEbE1fcqILnwkBnstuHXcDaGwYIBVMwGlJ96OSXm2yqKe4Ipb4r+aOol3Yph6DfFR/fsJzViy5nM3crvgN/lOJFn7dabqw9YszT1Cv1Jxs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=D7c/BXCwaLI3SZOD4jnfgnqaNsXTmaTK8ILXW1Y9cHNW1LJ6kTQinHAnJZZWCsI4wP1/wZ/ixjVAsxZRoPQwTmmJlCQY1k6NCL4CfiBfJx3Mk1lNU/fG4/ZGBDxWBpU8eTDoZjbZteZqGSbD/n7BNsA3R8yunJI5aPe94lYTR/A= Received: by 10.65.103.17 with SMTP id f17mr8995362qbm.1172523163313; Mon, 26 Feb 2007 12:52:43 -0800 (PST) Received: by 10.65.211.18 with HTTP; Mon, 26 Feb 2007 12:52:43 -0800 (PST) Message-ID: <19861fba0702261252n20edcabcs968bce7b576c39df@mail.gmail.com> Date: Mon, 26 Feb 2007 21:52:43 +0100 From: J65nko To: freebsd-questions@freebsd.org In-Reply-To: <20070226181852.GA853@trefle.ens.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070226181852.GA853@trefle.ens.fr> Cc: Subject: Re: DNS and mail servers behind a PF firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 20:52:44 -0000 On 2/26/07, Jacques Beigbeder wrote: > Hello, > > My question is related to PF performances with large state tables. > FreeBSD : 5.5 > hw.model: Intel(R) Xeon(TM) CPU 3.20GHz > hw.physmem: 2138378240 = 2 Gb > > If I put a mail server > 20 SMTP hits per second (thanks to spam...) > 15 seconds per SMTP dialog > 90 seconds for PF timeout tcp.close > the state table will have: > 20 * (90 + 15) * 2 ways = 5.000 entries > > Since any mail generates a few DNS queries (reverse DNS, > + DSNRBL queries), the state table will also gets > 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) > = 12.000 entries > > So I'll get around 20.000 entries, each of them have a short lifetime. > > Question: > . is such a number a performance problem? > It seems strange to constantly add and delete entries for DNS > requests in the state table? > . or do I have to write rules to avoid all the (unnecessary??) > entries? As far as I understand, beginning with > pass in quick proto udp from a.b.c.d port 53 to any > ... same for TCP/25 ... > is the trick. > [snip] Yes, keeping state on DNS traffic is quite expensive ;) This is mentioned in the series of 3 artilcles by the architect of pf, Daniel Hartmeier, at undeadly.org http://undeadly.org/cgi?action=article&sid=20060927091645&mode=expanded http://undeadly.org/cgi?action=article&sid=20060928081238&mode=expanded http://undeadly.org/cgi?action=article&sid=20060929080943&mode=expanded Try if just passing quick port 53 traffic without keeping state has a measurable postive impact. Or you could install a small not resource hungry caching nameserver like Bernstein's dnscache, which will save a lot of DNS and RBL ttraffic. Most of the time however, perl based virus scanning is the cause of less than expected performance of a mail server. =Adriaan=