PF performance problems
Sergey N. Romanov
sr at innter.net
Sat Mar 3 02:05:00 UTC 2007
Hello,
We have PF-related problems on our FreeBSD 6.2 server. This is
web-server and we have large problems even with not so much requests
amount (may be if more than 100-200/second) - we can't ping host, can't
make any connection to host and etc. We can solved this problem only
after PF restart (from console). Of course if requests amount the same
then we have problem again immediately.
I have made some tests...
With disabled firewall "http_load -parallel 200 -seconds 60 urls" can
make 4500 requests per second. No any problems with ping and etc.
Then I have created simple (as I think) PF config
ext_if = "em1"
set skip on lo0
set skip on em0
set block-policy return
block in log from any to any
block out log from any to any
pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any keep state
pass in quick on $ext_if proto icmp from any to any keep state
pass out on $ext_if proto tcp from any to any flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } from any to any keep state
and with this config http_load can make only about 75 requests per
second :-((
With logging I can't see that any requests are blocked by block rule and
I can see that passed amount is equal to amount in http_load report.
Why we have this problem? Where to search for problem?
--
Best regards
More information about the freebsd-pf
mailing list