slow

Ping Mai pingmai at yahoo.com
Sun Sep 11 22:40:57 UTC 2011 

Hi, 

I'm new to pf.  hoping for some help with pf.conf.

FreeBSD 5.5 router.  2 external interfaces, $com_if and $dsl_if.  The default route is set to $com_if.

incoming smtp to $com_if seems to work fine.


incoming smtp to $dsl_if is the problem.  connect to tcp/25 is fast.  but after I issue a 'ehlo ...'  there's a delay of ~1 minute before the reply comes back.  from that point on the exchange works just fine.
The problem is most MTA don't wait that long.  they simply drop the connection.

tcpdump of pflog0 sees the incoming tcp/25, outgoing from tcp/25 gets routed to $dsl_if (dc3).  after that, looks like it does an 'ident' and a DNS lookup. then it just sits there for minutes.

what's wrong with my pf.conf?

#----------------- tcpdump ------------------

000000 rule 16/0(match): pass in on dc3: IP 100.100.100.153.63225 > 12.34.56.40.25: S 743439640:743439640(0) win 65535 <mss 1460,nop,wscale 3,[|tcp]>
000083 rule 28/0(match): pass out on dc0: IP 12.34.56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
000023 rule 12/0(match): pass out on dc3: IP 12.34.56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 <mss 1460,nop,wscale 1,[|tcp]>
080881 rule 28/0(match): pass out on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:1468481550(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>
000027 rule 12/0(match): pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:1468481550(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>
082959 rule 13/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.45.57.182.53:  50336+ [1au][|domain]  

#------------------ pf.conf ------------------------------------------------------
int_if = "dc1"

dsl_if = "dc3"
com_if = "dc0"
dmz_if = "dc2"
int_net = "10.1.100.0/24"
dmz_net = "10.1.101.0/24"
dsl_gw="12.34.56.1"

com_gw="23.45.67.1"                     # default route

iserver="10.1.100.99"

tcp_services="{ http https }"

icmp_types="echoreq"

table <internal> { $int_net, $dmz_net }

set loginterface $dsl_if
set loginterface $com_if
set optimization normal
set block-policy return
set require-order yes


scrub in all
nat on $dsl_if from <internal> -> $dsl_if
nat on $com_if from <internal> -> $com_if

rdr pass on $dsl_if proto tcp from any to $dsl_if port $tcp_services -> $iserver
rdr pass on $com_if proto tcp from any to $com_if port $tcp_services -> $iserver

block out log all
block in log all
pass quick on lo0

antispoof quick for { lo0 $dsl_if $com_if $dmz_if $int_if}

pass out log on $dsl_if
pass out log on $com_if

pass log on $int_if keep state
pass log on $dmz_if from any to ! $int_if:network keep state

pass in log on $dsl_if proto tcp to $dsl_if port { smtp, smtps }
pass in log on $com_if proto tcp to $com_if port { smtp, smtps }
pass in on $dsl_if proto { tcp, udp } to $dsl_if port {domain}
pass in on $com_if proto { tcp, udp } to $com_if port {domain}
pass in on $com_if proto { tcp, udp } to port {bootpc}

pass in inet proto icmp all icmp-type $icmp_types

pass out log on $dsl_if route-to ($com_if $com_gw) from $com_if
pass out log on $com_if route-to ($dsl_if $dsl_gw) from $dsl_if
#------------------------------------------------------------------------

More information about the freebsd-pf mailing list