PF, bridge, states and window scaling problem
freebsd-lists-erik at erikosterholm.org
Mon Nov 12 21:42:29 PST 2007
On Tue, Nov 13, 2007 at 07:50:53AM +0530, Girish Venkatachalam wrote:
> On 22:08:03 Nov 12, Alupului Costin wrote:
> > I seem to have quite a problem with PF. I have set up a bridge to
> > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's
> > not really important. My problem comes with the filter rules. I have
> > to use keep state because of the speed benefits (really I don't have a
> > choice),
> One should always keep state.
> > Oh, here is the setup of the bridge from rc.conf, although there
> > shouldn't be any problems there (the bridge works fine without pf, or
> > with pf stateless):
> Stateful filtering is always recommended. Performance is not the only
> reason why you should use it.
> It also adds to security. Have you tried disabling normalization/scrub?
My understanding (and please correct me if I'm wrong) is that
keeping state requires fragmented packet reassembly, which can break
some applications. Also, I've always followed the conventional wisdom
that bridges shouldn't keep state. A posting from the maintainer
Maybe this has changed--I'm not sure, but so far I haven't seen
performance issues with pf and if_bridge without keeping state, so I
haven't been worried about it.
More information about the freebsd-questions