pf slows down the network

Predrag Punosevac punosevac72 at
Thu Jun 26 08:22:36 PDT 2014

Predrag Punosevac <punosevac72 at> wrote:

> Matthew Dillon <dillon at> wrote:
> > We're talking about it on IRC.  It may take a few days to get the basic SMP
> > concurrency operational in master for PF, but it should be possible for you
> > to do some mitigation before that point by tracking down the culprit.
> > 
> FreeBSD guys have done some work on enabling SMP on PF. FreeBSD machines
> with similar rules have no problem with the network.
> > Several possibilities:  (1) Is the logging.  Try not using that.  (2) the
> > number of blocking rules before hitting the main TCP rules that packets
> > will match on can seriously impact performance.  (3) Is the keep-state (the
> > policy line I posted should have fixed that and had some effect).  (4)
> > could be handling of lo0 ... you should 'pass quick on { lo } as soon as
> > possible, before any block rules.
> > 
> > You are also missing some necessary ICMP rules.  You can't just block ICMP
> > which your 'block all' is going to do, that will prevent older
> > non-tcp-option-based TCP MTU discovery from working properly.  I suggest
> > removing the 'block all' and just having block rules for TCP and UDP  so
> > you don't have to worry about passing through ICMP sub-protocols.
> > 

Hi Matt,

I have a great news. I hope you don't mind me CC users at dragonfly as
this might be of interest to other people. This machine is as fast as
machine without pf running the following rule set.


table <bruteforce> persist
table <sshguard> persist

tcp_services = "{ssh, http, https, submission, 8080}"
udp_services = "{domain, ntp}"

set keep-policy keep state (pickups, sloppy)
set limit states 100000
set block-policy return
set optimization normal
# set loginterface egress
set skip on lo

scrub in all

block in
block quick from <bruteforce>
block in quick on egress proto tcp from <sshguard> \
        to any port ssh label "ssh bruteforce"

# antispoof quick for { lo }

block drop in quick from urpf-failed to any
block in on !lo0 proto tcp to port 6000:6010

pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto tcp from any to any port $tcp_services
pass out on $ext_if inet proto udp from any to any port $udp_services
pass on $ext_if inet proto tcp from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <bruteforce> flush global)

Summary of what I have done:

1. Add 

set keep-policy keep state (pickups, sloppy)

2. Disable pflogs
3. Disable antispoof on lo interface.

# antispoof quick for { lo }

4. Use block in as my first rule instead of currently recommended on
vanila OpenBSD block all.

5. Added the rules for ICMP which were carelessly deleted while I was
trying to adjust /etc/pf.conf syntax from OpenBSD 5.5 to 4.8 currently
used by DF.

Thank you so much for help with this and all the things you have done
for me personally starting with that Amiga C compiler:)

> I will try. The rules are used are more or less the rules I use on
> OpenBSD network servers with some adjustments for the older syntax
> (scrub and matching roules look different in current OpenBSD versions). 
> > If your box is doing any local routing into and out of the same network
> > interface, short cutting that can help.   Usually best to not have
> > excessive rules (or any rules) on local interfaces and only have the major
> > rules on the interfaces talking to the outside world.
> > 
> > What kind of network bandwidths are we talking about here?
> > 
> 1 gigabit at slowest. Lots of 10 gigabit stuff in our lab.
> > -Matt
> > 
> > 

More information about the Users mailing list