From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 09:50:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DC9016A474 for ; Thu, 5 Jul 2007 09:50:21 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 1090B13C48A for ; Thu, 5 Jul 2007 09:50:20 +0000 (UTC) (envelope-from pergesu@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so1466429wxd for ; Thu, 05 Jul 2007 02:50:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ldpKs3aYLoPSrBRf0DwIPfjUbUydaoePhMr/6niCXK3z7xkaJdfcNe46DyQ/Z0KPHVsBYg7An4pjuc/+Nyg4Za4S/Z9ilFUTz7Hv/cGiYsrMCMdeUtpWPK0UiKKs3K+AHOUuh0Cv8b39W6OtG/PLyZaaq0IvgQYYxz5nUsq7PuQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=XqFsi8RaJXBQjpppth0ahk747VKqefMHtc0gZ+X+7AJfeDYQ+9OCKz7QswIPDq8E5rMM7gfGRpN1ihvnye49/6EXqXnZSoYCFUPhIpqMeL1TCOpTfgXYFczR495IDX3pzlanvgrbRFIeV6JVVlwoo/EzG7KP11TJPQo3cnSiR08= Received: by 10.78.153.17 with SMTP id a17mr4556920hue.1183627355203; Thu, 05 Jul 2007 02:22:35 -0700 (PDT) Received: by 10.78.200.15 with HTTP; Thu, 5 Jul 2007 02:22:35 -0700 (PDT) Message-ID: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> Date: Thu, 5 Jul 2007 03:22:35 -0600 From: "Pat Maddox" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 09:50:21 -0000 We're doing some stress testing on our server, and noticed that when we turn PF on, we lose connections and have a drastic reduction in performance. We used SIEGE for 120 seconds, 50 connections, on req/conn Firewall On: Num Users: 50 Availability: 97.23 % Transaction rate: 58.02 trans/sec Concurrency: 3.80 Successful: 6994 Failed: 198 Longest Req: 9.06s Firewall Off: Num Users: 50 Availability: 100 % Transaction rate: 94.62 trans/sec Concurrency: 1.76 Successful: 11342 Failed: 0 Longest Req: 0.51s You'll notice that with the firewall off, we don't lose any connections. We also have a 60% increase in tx/sec, and the longest request takes 1/20 of the time. I've included my complete pf.conf file, hopefully something will jump out at someone. Thanks, Pat # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF="em0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ http, 8080, nrpe }" #UDP_IN = "{ }" SSH_IN = "{ xxx.xxx.xxx.xxx }" # --- allowed services initiated by server TCP_OUT = "{ ssh, smtp, domain, ntp, 3690, 2222, http, ftp, 29125 }" UDP_OUT = "{ domain, ntp }" ORIGINS = "{ xxx.xxx.xxx.xxx }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF set block-policy return # --------- TRAFFIC NORMALIZATION ---------------- scrub in all antispoof for $EXT_IF # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # --- BRUTE FORCE TABLE table persist block quick from # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # Allow postgres connection from db server pass in quick on $EXT_IF inet proto tcp from xxx.xxx.xxx.xxx to $EXT_IF port 5432 flags S/SA keep state # --- SSH with brute force blocking pass in quick on $EXT_IF inet proto { tcp, udp } from any to $SSH_IN port ssh flags S/SA keep state (max-src-conn 25, max-src-conn-rate 5/3, overload flush global) # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # Allow postgres connection to db server pass out quick on $EXT_IF inet proto tcp from $EXT_IF to xxx.xxx.xxx.xxx port 5432 flags S/SA keep state # Allow any connection to uploaders pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $ORIGINS flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf