From owner-freebsd-questions@FreeBSD.ORG Tue Nov 13 05:42:29 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0450F16A41A for ; Tue, 13 Nov 2007 05:42:29 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (aleph.cepheid.org [72.232.60.94]) by mx1.freebsd.org (Postfix) with ESMTP id D39E213C4B3 for ; Tue, 13 Nov 2007 05:42:28 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id 7B4319B4057; Mon, 12 Nov 2007 23:42:20 -0600 (CST) Date: Mon, 12 Nov 2007 23:42:20 -0600 From: Erik Osterholm To: freebsd-questions@freebsd.org Message-ID: <20071113054220.GA74564@aleph.cepheid.org> Mail-Followup-To: Erik Osterholm , freebsd-questions@freebsd.org References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> <20071113022053.GA17768@saraswathy.susmita.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071113022053.GA17768@saraswathy.susmita.org> User-Agent: Mutt/1.4.2.3i Subject: Re: PF, bridge, states and window scaling problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 05:42:29 -0000 On Tue, Nov 13, 2007 at 07:50:53AM +0530, Girish Venkatachalam wrote: > On 22:08:03 Nov 12, Alupului Costin wrote: > > I seem to have quite a problem with PF. I have set up a bridge to > > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's > > not really important. My problem comes with the filter rules. I have > > to use keep state because of the speed benefits (really I don't have a > > choice), > > One should always keep state. <...> > > Oh, here is the setup of the bridge from rc.conf, although there > > shouldn't be any problems there (the bridge works fine without pf, or > > with pf stateless): > > Stateful filtering is always recommended. Performance is not the only > reason why you should use it. > > It also adds to security. Have you tried disabling normalization/scrub? > > Best, > Girish My understanding (and please correct me if I'm wrong) is that keeping state requires fragmented packet reassembly, which can break some applications. Also, I've always followed the conventional wisdom that bridges shouldn't keep state. A posting from the maintainer supports this: http://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001481.html Maybe this has changed--I'm not sure, but so far I haven't seen performance issues with pf and if_bridge without keeping state, so I haven't been worried about it. Erik