On Wed, Nov 08, 2006 at 10:44:46PM -0500, Michael Lockhart wrote:
> Looking for thoughts on improving performance, throughput, etc. I'm
> leaning towards just throwing up 2 better boxes with 2GB of ram and
> P4's. Wish I could show the pf.conf rules but that's out of the
> question.
if sanitizing the hell out of them is not an option for you,
it might be a better use of time to try and run the system
with as stripped down a ruleset as you can manage, provided you
don't end up exposing some bleeding whore application, as opposed
to sending 'relevent snippets'.
> Here's the stats:
>
> -bash-2.05b# pfctl -s info -v
>
> Status: Enabled for 14 days 18:54:07 Debug: Urgent
>
> Hostid: 0x********
>
> State Table Total Rate
>
> current entries 7008
> searches 3599595861 2817.4/s
> inserts 83619775 65.4/s
> removals 83612767 65.4/s
it is well known that using bash for a root shell will
slow the system down appreciably.
well, no, probably not at all, but wtf.
or perhaps you handled read permissions correctly and aren't
root, but anyway, what's the actual problem?
> -bash-2.05b# sysctl -a | grep tcp.
$ sysctl net.inet.tcp
:)
don't even need root, or bash.
to be fair, i don't have a 3.5 laying around anymore to tell you
for certain that that works there...
> dmesg:
>
> OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004
>
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
>
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz
a p3 1GHz should be quite capable of handling a decent number
of packets per second with pf and a sane ruleset, tho i suppose
the question then becomes how much traffic is going through this
machine? all the stuff destined for the MX of a domain with 500,000
users, a medium-sized office with a T1 or so, or just a dsl line?
the advice to upg to something newer than 3.5 is perhaps not ill-spent,
depending on what the actual issue is.
you could put openbsd on a thumbdrive or make pxeboot nfs something
to "nondestructively" test a currently supported releaese and see if it
has any impact on your situation. tho', naturally, if this machine is
doing more than just pf yes/no, upgrading or testing a new releaes
might be more cumbersome.
> xl0 at pci1 dev 5 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq
> 12xl0: command never completed!
>
> xl0: command never completed!
>
> xl0: command never completed!
>
> address 00:0a:5e:1c:ef:69
>
> exphy0 at xl0 phy 24: 3Com internal media interface
>
> xl0: command never completed!
>
> xl0: command never completed!
>
> xl0: command never completed!
does the issue have anything to do with xl0?
i've had a couple xl(4)s who worked perfectly fine in the earlier releases,
and one which did decidedly work unreliably until the more recent
releases. the funky one was an onboard.
tho', with that one, problem was more predicitibility/reliability and not
throughput/performance related.
> hifn0 at pci1 dev 10 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4
> MD5 SHA1 RNG AES PK, 32KB dram, irq 9
if the problem you mention but perhaps simply forgot to disclose has
anything to do with the ipsec or the hifn, it's quite good to ensure that
whatever you're trying to use it for is actually using it (eg, don't
setup isakmpd to use transforms/protos that the hifn doens't grok (sha2)),
say, perhaps by watching interrupts in "systat vmstat". but even without
a hifn, a p3-1ghz is not a wimp.
--
jared
