Traffic mysteriously dropping
Greg Hennessy
Greg.Hennessy at nviz.net
Fri Mar 31 07:57:57 UTC 2006
>
> These 2 problems, are making pf, virtually unusable for our
> firewall needs. Hopefully there is a fix for them.
>
Have you tried to ifconfig polling for all the em interfaces ?
I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 *
bge & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it.
That's with ALTQ compiled in but not used in the policy at present.
Unless you are using synproxy I would suggest getting rid of set
state-policy if-bound and stick with the default of floating.
Are all your stateful tcp rules using flags S/SA to establish state ?
Are you running out of state table entries ?
The default is 10k, tracking it with pfctl -si will tell you.
With nearly 400 firewall rules, I would suggest that there's scope for
reviewing order and the judicious use of quick to trim the policy into
something more manageable.
Greg
More information about the freebsd-pf
mailing list