Date: Mon, 26 Feb 2007 21:52:43 +0100 From: J65nko <j65nko@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: DNS and mail servers behind a PF firewall? Message-ID: <19861fba0702261252n20edcabcs968bce7b576c39df@mail.gmail.com> In-Reply-To: <20070226181852.GA853@trefle.ens.fr> References: <20070226181852.GA853@trefle.ens.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/26/07, Jacques Beigbeder <Jacques.Beigbeder@ens.fr> wrote: > Hello, > > My question is related to PF performances with large state tables. > FreeBSD : 5.5 > hw.model: Intel(R) Xeon(TM) CPU 3.20GHz > hw.physmem: 2138378240 = 2 Gb > > If I put a mail server > 20 SMTP hits per second (thanks to spam...) > 15 seconds per SMTP dialog > 90 seconds for PF timeout tcp.close > the state table will have: > 20 * (90 + 15) * 2 ways = 5.000 entries > > Since any mail generates a few DNS queries (reverse DNS, > + DSNRBL queries), the state table will also gets > 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) > = 12.000 entries > > So I'll get around 20.000 entries, each of them have a short lifetime. > > Question: > . is such a number a performance problem? > It seems strange to constantly add and delete entries for DNS > requests in the state table? > . or do I have to write rules to avoid all the (unnecessary??) > entries? As far as I understand, beginning with > pass in quick proto udp from a.b.c.d port 53 to any > ... same for TCP/25 ... > is the trick. > [snip] Yes, keeping state on DNS traffic is quite expensive ;) This is mentioned in the series of 3 artilcles by the architect of pf, Daniel Hartmeier, at undeadly.org http://undeadly.org/cgi?action=article&sid=20060927091645&mode=expanded http://undeadly.org/cgi?action=article&sid=20060928081238&mode=expanded http://undeadly.org/cgi?action=article&sid=20060929080943&mode=expanded Try if just passing quick port 53 traffic without keeping state has a measurable postive impact. Or you could install a small not resource hungry caching nameserver like Bernstein's dnscache, which will save a lot of DNS and RBL ttraffic. Most of the time however, perl based virus scanning is the cause of less than expected performance of a mail server. =Adriaan=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba0702261252n20edcabcs968bce7b576c39df>