8.0 network problem

Roland Smith rsmith at xs4all.nl
Tue Jul 6 17:42:00 UTC 2010 

On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote:
> Hi again,
> 
>      Disabling pf definitely makes samba file transfers move faster (the
> speed varies quite a bit, but everything's faster than the single kilobytes
> per second I was seeing previously), but I'm perplexed about what's causing
> the slowdown.  There's certainly some cruft in my pf.conf (below), but I'm
> not sure what might be strangling my LAN.  Can anyone set me straight?

In general, check which rules are matched most with 'pfctl -vvs rules|less'.

Put the rules that are matched most first in the ruleset, adding the 'quick'
keyword where possible.

There is a FAQ on the OpenBSD site about pf, but it pertains to a newer
version than is available in FreeBSD!

> /etc/pf.conf:
> # macros
> int_if = "em0"
> wifi_if = "wlan0"
> ext_if = "nfe0"
> 
> nat_opt = "192.168.0.5" # Windows box
> nat_cu = "192.168.0.1" # server
> 
> tcp_services = "{ 22 }"
> icmp_types = "echoreq"

 
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

You might want to replace this by a table. It's supposed to be faster;

table <priv_nets> const { 127/8, 192.168/16, 172.16/12, 10/8 }

> # options

You could try and use ruleset optimization;

set ruleset‐optimization profile

> set block-policy return
> set loginterface $ext_if
> set skip on lo
> 
> # scrub
> scrub in
> 
> # nat/rdr
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat on $ext_if from $wifi_if:network to any -> ($ext_if)
> rdr on $ext_if proto tcp from any to any port 22 -> $nat_cu
> rdr on $ext_if proto tcp from any to any port 6881:6999 -> $nat_opt
> rdr on $ext_if proto tcp from any to any port 34567:34575 -> $nat_cu
> rdr on $ext_if proto tcp from any to any port 993 -> $nat_opt
> 
> # filter rules
> block in log

Try

block in log label "inblock"

Adding labels to your rules aids you in determining which ones are matched,
with 'pfctl -vvs labels'

> pass out keep state

I think keeping state is the default now.

> antispoof quick for { lo $int_if }
> 
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
> flags S/SA keep state
> 
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets

Use table syntax in combination with the table defined above;

block drop in quick on $ext_if from  <priv_nets>to any
block drop out quick on $ext_if from any to <priv_nets>

> pass in inet proto icmp all icmp-type $icmp_types keep state

You might want to think about added the "quick" keyword to the following four rules.

> pass in on $ext_if inet proto tcp from any to $nat_cu port $tcp_services
> flags S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_cu port 34567:34575 flags
> S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_opt port 6881:6999 flags
> S/SA synproxy state
> pass in on $ext_if inet proto tcp from any to $nat_opt port 993 flags S/SA
> synproxy state

If you have a lot of traffic on the following two rules, put them at the top of the filter
rules. Then they will be evaluated first and not the rest of the rules. You
might also consider adding them to 'set skip'.

> pass in quick on $int_if
> pass in quick on $wifi_if

Enlarging the buffer sizes for the BPF device might help as well;

sysctl net.bpf.bufsize=65536
sysctl net.bpf.maxbufsize=524288

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20100706/da496c6f/attachment.pgp

More information about the freebsd-stable mailing list