PF newbie questions

[Dan Pritts]

On Thu, Aug 19, 2010 at 05:44:26PM -0700, Patrick Mahan wrote:
> I am just a little concern over the potential for impact to the
> throughput by the re-assembling of an IP packet from its fragments

> However, it seems to me that limiting it to 0 is a bit drastic.  Shouldn't
> it be something like 4-8 packet limit?

hi Patrick -

My slightly-educated guess is that you are right to have performance
concerns.

pf comes from openbsd.  relatively speaking, openbsd doesn't care
about performance; they care about security and correctness.

They are the same folks behind openssh, and they have refused
requests to merge patches that *drastically* improve openssh transfer
speeds over WANs:

  http://www.psc.edu/networking/projects/hpn-ssh/
  http://www.psc.edu/networking/projects/hpn-ssh/faq.php (near bottom)

Also, note the example configurations in the pf faq:

  http://www.openbsd.org/faq/pf/queueing.html

basically, home users and companies with T1 lines.


how easily the issues you note can be dealt with without affecting
security I do not know.  Surely, it would be much more complex to
do effective firewall filters of IP fragments than it is to use the
current approach.

As a practical concern for that one, I don't know what your product
does, but do you really expect to transfer many fragmented packets?

I'd also note that the current freebsd pf code is based on an old
snapshot from openbsd.  depending on your product plans you might
want to wait/join the effort to merge a newer version; there has
been some discussion on this list.

if you are just looking for queueing, I assume you also know
about ipfw DUMMYNET; if not check it out.

danno
--
dan pritts
ann arbor, mi, us