pf slows down the network

Predrag Punosevac punosevac72 at gmail.com
Wed Jun 25 23:05:37 PDT 2014


Zachary Crownover <zachary.crownover at gmail.com> wrote:

> Are you able to post your pf.conf? It could be the way you have it
> configured, because I'm using it in numerous systems and don't see any
> degradation in network performance.
> 

Here it is. I had very hard time recalling pre 4.5 syntax :) 

ext_if="em0"

NoRouteIPs="{127.0.0.0/8, 240.0.0.0/4, 0.0.0.0/8, 169.254.0.0/16}"
table <bruteforce> persist
table <sshguard> persist

tcp_services = "{ssh, http, https, submission, 8080}"
udp_services = "{domain, ntp}"


set limit states 100000
set block-policy return
set optimization normal
set loginterface egress
set skip on lo

scrub in all

# filter rules
block all
block quick from <bruteforce>
block in quick on egress proto tcp from <sshguard> \
        to any port ssh label "ssh bruteforce"

antispoof quick for { lo }

block drop in quick from urpf-failed to any
block in on ! lo0 proto tcp to port 6000:6010

pass out on $ext_if inet proto tcp from any to any port $tcp_services
keep state
pass out on $ext_if inet proto udp from any to any port $udp_services
pass log on $ext_if inet proto tcp from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <bruteforce> flush global)



> 
> On Wed, Jun 25, 2014 at 10:21 PM, Predrag Punosevac <punosevac72 at gmail.com>
> wrote:
> 
> > I am running
> >
> > backup1# uname -a
> > DragonFly backup1.int.autonlab.org 3.8-RELEASE DragonFly v3.8.1-RELEASE
> > #16: Mon Jun 16 21:36:15 PDT 2014
> > justin at pkgbox64.dragonflybsd.org:
> > /usr/obj/build/home/justin/src/sys/X86_64_GENERIC
> > x86_64
> >
> >
> > After enabling PF network really slows down to the point that server is
> > unusable. ssh login hangs about a minute.  It looks very similar to this
> > thread
> >
> > http://serverfault.com/questions/514046/pf-slows-traffic-extremely-down
> >
> > and as a matter of fact I am using em driver.
> >
> > Has anybody else noticed this?
> >
> > Predrag
> >
> >
> 
> 
> -- 
> Sincerely,
> 
> Zachary Crownover
> mobile (310) 487-5573




More information about the Users mailing list