pf and mpd

Wed May 18 00:29:53 PDT 2005

> Hello,
>     Thanks for your detailed reply.

My pleasure mate. 

> With set optimization aggressive i read it was a performance 
> enhancer. 

For 99% of real world usage its not. 

> I'm having an issue with pop, either pop3 or pop3s 
> where locally it works fine, but if i'm on the road and 
> atempting to pop it goes in spurts, gets some messages, then 
> slows to a crawl, gets some more, and so forth. I was trying 
> that option to see if it'll fix it.

Don't think that'll be the problem. It maybe something to do with path MTU
discovery. However cleaning up the policy may help also. 

> I'll turn block-policy to return, see if i get anything further.

Applications will not hang & wait to time out if traffic is blocked. They
will tell you if communication has been prevented. 

>     I've made the change set block all, and as for exchange i 
> don't know if i really want to hear from anyone running a 
> windows mailserver given all the worms and so forth, do i?

If you have any email contact using exchange and no secondary MX setup, you
most definitely do. Otherwise they will not be able to send to you. 
A secondary MX hosted somewhere else is always a good idea to begin with. 

>     Thanks for the tip on the flags, and modulate state, i've 
> changed both of them through the file, i didn't realize those 
> would have that much of a performance and/or security or 
> compatibility hit.

Every day a school day. :-)

> Any other suggstions let me know, one thing, since i'm 
> passing gre and ng0 traffic such as:
> 
> pass in on $EXT inet proto gre from any to $LAN_SERVER keep 
> state pass on ng0 from any to $LAN_SERVER keep state

Recommend enabling logging on both those rules, so you see if they are being
triggered. 

For more immediate logging rather than the default 60 seconds with pflogd,
either change the relevant rc.conf entry and set pflogd flags to the minumum
of 5 seconds, or use the following and log directly to syslog instead

http://www.freebsdforums.org/forums/showthread.php?s=&postid=139518&highligh
t=tcpdump#post139518

Personally I use the syslog route on anything which doesn't have really
large volumes of traffic. 

Appreciating how 'quick' works will also be useful. 

> 
> do i need to have rdr rules for these as well?

No, just configure MPD to listen on the external interface. 

As I recall, I had to put in a pass out rule for gre as well. 

As Chris says in the followup, the important thing with GRE is to avoid
natting it. 
Many to one nat without some form of helper support will break GRE. 

> Thanks also for the tip on block all, i think that gives me 
> more of the effect i want.

A default block policy is much easier to maintain, as you are only going to
permit traffic you want. 

> Dave.
> 
> 