Traffic mysteriously dropping

Greg Hennessy Greg.Hennessy at nviz.net
Fri Mar 31 07:57:57 UTC 2006


 
> 
> These 2 problems, are making pf, virtually unusable for our 
> firewall needs.  Hopefully there is a fix for them.
>

Have you tried to ifconfig polling for all the em interfaces ? 

I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 *
bge  & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it.
That's with ALTQ compiled in but not used in the policy at present. 

Unless you are using synproxy I would suggest getting rid of set
state-policy if-bound and stick with the default of floating.

Are all your stateful tcp rules using flags S/SA to establish state ?

Are you running out of state table entries ? 

The default is 10k, tracking it with pfctl -si will tell you.

With nearly 400 firewall rules, I would suggest that there's scope for
reviewing order and the judicious use of quick to trim the policy into
something more manageable. 



Greg



More information about the freebsd-pf mailing list