From owner-freebsd-questions@FreeBSD.ORG Tue Nov 13 13:35:08 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D081716A418 for ; Tue, 13 Nov 2007 13:35:08 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id C9F3113C491 for ; Tue, 13 Nov 2007 13:35:07 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1274908rvb for ; Tue, 13 Nov 2007 05:35:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:date:from:to:cc:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=U7cicIE+dRIbVfoBejUPILY/o/tpq4UhPqgjnHZIzM4=; b=RjYiJsWjgxLbeU71j7mjGEAmH2PU6RTEm4hinrVMez7fwbK9+JENpO7gkzFY+yg4o7ESVqjvuCUSJHfiAwlGaNYZkFraUk6owZVuyPbMGZ2dbNwIMZdfmFYiPHEPqPPqu7RA/uECmWVUN62YjZkqyC6eu3WiDdM5kAMPaXtZyq8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=CLbGa1uFSHEc7aQxgTWyAiK8XvHV8B4K36DJaWUg9g+lSIgDknajWWQWA5eMe0WXTPSZijksCrn7LbFPIl+megukfPYyjyfKhF0oV+Mq4PBhWCmfIvp1H/oRsWU5ciBM0UkM8txmMEi02Fqtk8tskMIMUGTwHM1xfsqm6FFD+gA= Received: by 10.140.255.19 with SMTP id c19mr2825219rvi.1194960472857; Tue, 13 Nov 2007 05:27:52 -0800 (PST) Received: from saraswathy.susmita.org ( [59.92.29.156]) by mx.google.com with ESMTPS id b34sm13257229rvf.2007.11.13.05.27.45 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 13 Nov 2007 05:27:51 -0800 (PST) Received: by saraswathy.susmita.org (Postfix, from userid 1002) id B3E32143E7; Tue, 13 Nov 2007 18:57:34 +0530 (IST) Date: Tue, 13 Nov 2007 18:57:34 +0530 From: Girish Venkatachalam To: freebsd-questions@freebsd.org Message-ID: <20071113132734.GA16728@saraswathy.susmita.org> Mail-Followup-To: freebsd-questions@freebsd.org, Erik Osterholm References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> <20071113022053.GA17768@saraswathy.susmita.org> <20071113054220.GA74564@aleph.cepheid.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071113054220.GA74564@aleph.cepheid.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: Erik Osterholm Subject: Re: PF, bridge, states and window scaling problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: girishvenkatachalam@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 13:35:08 -0000 On 23:42:20 Nov 12, Erik Osterholm wrote: > My understanding (and please correct me if I'm wrong) is that > keeping state requires fragmented packet reassembly, which can break > some applications. You mean that you cannot support "broken applications" if you do reassembly? Packet reassembly happens if you use a scrub rule as well. The main problem with fragmentation leaving aside all performance and security considerations is that you cannot figure out anything useful from the IP fragments. The headers simply lack enough information for you to deduce anything. Reassembly does have an overhead..you can perhaps mention a delay involved in waiting for all fragments to arrive. But AFAIK it only helps if you reassemble. Never hurts. I am not aware of any breakage due to reassembly. ( But I could be ignorant). Now I specifically asked about scrub because scrub does a lot of other things which might "correctly" break "broken applications." I just wanted to give him enough rope. Very likely scrub causes no harm. Neither would keeping state... > Also, I've always followed the conventional wisdom > that bridges shouldn't keep state. A posting from the maintainer > supports this: > http://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001481.html > > Maybe this has changed--I'm not sure, but so far I haven't seen > performance issues with pf and if_bridge without keeping state, so I > haven't been worried about it. I just read the post you linked. Thanks. :) I would imagine that bridges would make things difficult for pf. I have never worked with bridges , so I cannot comment. Sorry. regards, Girish