pf killing NFS
Luke Dean
LukeD at pobox.com
Tue Dec 12 22:51:29 PST 2006
On Wed, 13 Dec 2006, Charles Sprickman wrote:
> Hi all,
>
> I'm running a 6.2-RC1 box (cvsup'd today) that has two broadcom nics. One is
> an internal network (nfs) and the other is external.
>
> PF has this rule for all traffic on the private net:
>
> [root at archive /home/jails]# pfctl -sr|grep bge1
> pass in quick on bge1 inet from 192.168.1.0/24 to any
> pass out quick on bge1 inet from any to 192.168.1.0/24
>
> No state since these are "quick" and symmetrical.
>
> Doing something like "ls /usr/ports" will just hang until interrupted. Using
> tcp for nfs makes it workable, but very slow.
>
> If I disable pf (pfctl -d), both types of mounts work, and speed is
> excellent. I also just found that if I remove the "scrub in all" statement
> and change it to "scrub in on bge0", things are fine.
I believe it's a bad idea to run NFS traffic through scrub unless you use
the "no-df" option with it. I just don't scrub my internal network
traffic at all.
I got this from "man pf.conf":
scrub has the following options:
no-df
Clears the dont-fragment bit from a matching IP packet. Some oper-
ating systems are known to generate fragmented packets with the
dont-fragment bit set. This is particularly true with NFS. Scrub
will drop such fragmented dont-fragment packets unless no-df is
specified.
More information about the freebsd-stable
mailing list