pf slows down the network
Zachary Crownover
zachary.crownover at gmail.com
Wed Jun 25 23:11:14 PDT 2014
Lucky for you we have 4.8
On Jun 25, 2014 11:05 PM, "Predrag Punosevac" <punosevac72 at gmail.com> wrote:
> Zachary Crownover <zachary.crownover at gmail.com> wrote:
>
> > Are you able to post your pf.conf? It could be the way you have it
> > configured, because I'm using it in numerous systems and don't see any
> > degradation in network performance.
> >
>
> Here it is. I had very hard time recalling pre 4.5 syntax :)
>
> ext_if="em0"
>
> NoRouteIPs="{127.0.0.0/8, 240.0.0.0/4, 0.0.0.0/8, 169.254.0.0/16}"
> table <bruteforce> persist
> table <sshguard> persist
>
> tcp_services = "{ssh, http, https, submission, 8080}"
> udp_services = "{domain, ntp}"
>
>
> set limit states 100000
> set block-policy return
> set optimization normal
> set loginterface egress
> set skip on lo
>
> scrub in all
>
> # filter rules
> block all
> block quick from <bruteforce>
> block in quick on egress proto tcp from <sshguard> \
> to any port ssh label "ssh bruteforce"
>
> antispoof quick for { lo }
>
> block drop in quick from urpf-failed to any
> block in on ! lo0 proto tcp to port 6000:6010
>
> pass out on $ext_if inet proto tcp from any to any port $tcp_services
> keep state
> pass out on $ext_if inet proto udp from any to any port $udp_services
> pass log on $ext_if inet proto tcp from any to any port ssh \
> flags S/SA keep state \
> (max-src-conn 100, max-src-conn-rate 15/5, \
> overload <bruteforce> flush global)
>
>
>
> >
> > On Wed, Jun 25, 2014 at 10:21 PM, Predrag Punosevac <
> punosevac72 at gmail.com>
> > wrote:
> >
> > > I am running
> > >
> > > backup1# uname -a
> > > DragonFly backup1.int.autonlab.org 3.8-RELEASE DragonFly
> v3.8.1-RELEASE
> > > #16: Mon Jun 16 21:36:15 PDT 2014
> > > justin at pkgbox64.dragonflybsd.org:
> > > /usr/obj/build/home/justin/src/sys/X86_64_GENERIC
> > > x86_64
> > >
> > >
> > > After enabling PF network really slows down to the point that server is
> > > unusable. ssh login hangs about a minute. It looks very similar to
> this
> > > thread
> > >
> > >
> http://serverfault.com/questions/514046/pf-slows-traffic-extremely-down
> > >
> > > and as a matter of fact I am using em driver.
> > >
> > > Has anybody else noticed this?
> > >
> > > Predrag
> > >
> > >
> >
> >
> > --
> > Sincerely,
> >
> > Zachary Crownover
> > mobile (310) 487-5573
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20140625/8debcf94/attachment-0003.htm>
More information about the Users
mailing list