Date: Mon, 12 Nov 2007 23:42:20 -0600 From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org> To: freebsd-questions@freebsd.org Subject: Re: PF, bridge, states and window scaling problem Message-ID: <20071113054220.GA74564@aleph.cepheid.org> In-Reply-To: <20071113022053.GA17768@saraswathy.susmita.org> References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> <20071113022053.GA17768@saraswathy.susmita.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 13, 2007 at 07:50:53AM +0530, Girish Venkatachalam wrote: > On 22:08:03 Nov 12, Alupului Costin wrote: > > I seem to have quite a problem with PF. I have set up a bridge to > > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's > > not really important. My problem comes with the filter rules. I have > > to use keep state because of the speed benefits (really I don't have a > > choice), > > One should always keep state. <...> > > Oh, here is the setup of the bridge from rc.conf, although there > > shouldn't be any problems there (the bridge works fine without pf, or > > with pf stateless): > > Stateful filtering is always recommended. Performance is not the only > reason why you should use it. > > It also adds to security. Have you tried disabling normalization/scrub? > > Best, > Girish My understanding (and please correct me if I'm wrong) is that keeping state requires fragmented packet reassembly, which can break some applications. Also, I've always followed the conventional wisdom that bridges shouldn't keep state. A posting from the maintainer supports this: http://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001481.html Maybe this has changed--I'm not sure, but so far I haven't seen performance issues with pf and if_bridge without keeping state, so I haven't been worried about it. Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071113054220.GA74564>