rdr rule does not work (bad hdr length)

Max Laier max at love2party.net
Tue Nov 4 08:11:15 PST 2008


On Tuesday 04 November 2008 16:50:43 Jeremy Chadwick wrote:
> On Tue, Nov 04, 2008 at 04:48:31PM +0100, Matthias Kellermann wrote:
...
> >
> > Thanks for your explanation, Max.
> >
> > I've added the following line to /etc/inetd.conf:
> > telnet stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 20
> > 192.168.0.10 23
> >
> > Works fine!
> >
> > I've tried the same thing with other protocols (e.g. SSH). Doing an scp
> > transfer is really slow this way. Any ideas what could cause this issue?
> > (this is not pf related anymore, but perhaps someone has a quick answer).
>
> Simple: you've created a wonderful, beautiful bottleneck by using netcat
> as a form of buffering mechanism.  You can tune netcat to your hearts
> content, and probably improve things a bit, but you're more or less
> screwed (to put it frankly).
>
> I highly recommend Max's first recommendation.

Basically, yes.  Userland redirection is a hack.  It's easy to setup and will 
get you going.  There are more efficient implementations than netcat - e.g. 
rinetd from ports.  Ultimately, however, if you are looking for throughput 
without too much impact on the forwarding box etc. ... you must use a 
different mechanism - such as in-kernel redirection as provided by pf.  For 
that you need a different network layout, however. 

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News


More information about the freebsd-pf mailing list