Hi all,
The picture is
Internet -------| FW (bridge mode) --------- My net
I use a OpenBSD box with 4.2 stable in bridge mode with PF enbled as a
FW. Very happy with performance and capabilities of PF. But when I try
ssh connections from outside to my net boxes, they're very very slow.
They work, but work so slowly. On the other hand, when I disabled de PF
un FW box, the ssh connection has the 'normal' speed.
I've tried the verbose flags in ssh connection, but the output is
exactly the same when I use or not use the PF in FW.
My pf.conf is simple:
# 1. MACROS
ext_if="em1"
int_if="em0"
bridge="{" $ext_if $int_if "}"
admin_if="em2"
pfsync_if="em3"
oficines="xxx.xxx.xxx.xxx"
nagios="xxx.xxx.xxx.xxx"
# 2. TABLES
# services tables
table <http_servers> persist file "/etc/pf_files/http_servers.pf"
table <smtp_servers> persist file "/etc/pf_files/smtp_servers.pf"
table <remote_mail_servers> persist file
"/etc/pf_files/remote_mail_servers.pf"
table <mysql_servers> persist file "/etc/pf_files/mysql_servers.pf"
table <postgresql_servers> persist file
"/etc/pf_files/postgresql_servers.pf"
table <ssh_servers> persist file "/etc/pf_files/ssh_servers.pf"
table <snmp_servers> persist file "/etc/pf_files/snmp_servers.pf"
table <dns_servers> persist file "/etc/pf_files/dns_servers.pf"
table <ftp_servers> persist file "/etc/pf_files/ftp_servers.pf"
# brutes tables
table <ssh_brutes> persist
table <mysql_brutes> persist
table <http_brutes> persist
table <dns_brutes> persist
# 3. OPTIONS
set skip on lo
set skip on em2
set skip on em3
set fingerprints "/etc/pf.os"
set block-policy drop
set optimization aggressive
# 4. SCRUB
scrub in all
# 5. QUEUEING
# Not used.
# 6. TRANSLATION
# Not used.
# 7. FILTER RULES
# several generic rules
antispoof quick for lo
block in all
pass out quick all
pass inet proto icmp from any to any
# allow always the admin connection from headquarters
pass in quick on $bridge0 inet proto { tcp, udp } from $oficines to any
# blocking quickly the brutes
block quick from <ssh_brutes>
block quick from <mysql_brutes>
block quick from <http_brutes>
block quick from <dns_brutes>
# httpd
pass in on $bridge0 inet proto tcp from any to <http_servers> port { 80,
443 } keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <http_brutes> flush global)
# smtpd
pass in on $bridge0 inet proto tcp from any to <smtp_servers> port { 25,
578 }
# pop3(s) and imap4(s)
pass in on $bridge0 inet proto tcp from any to <remote_mail_servers>
port { 110, 143, 993, 995 }
# MySQL
pass in on $bridge0 inet proto tcp from any to <mysql_servers> port 3306
keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <mysql_brutes> flush global)
# PostgreSQL
pass in on $bridge0 inet proto tcp from any to <postgresql_servers> port
5432
# SSH
pass inet proto tcp from any to <ssh_servers> port 22 keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <ssh_brutes> flush global)
# SNMP
pass in on $bridge0 inet proto udp from "{" $oficines $nagios "}" to
<snmp_servers> port 161><163
# DNS
pass in on $bridge0 inet proto { tcp, udp } from any to <dns_servers>
port 53
# FTP
# cmd: ftpsesame -i $bridge0
#passive
anchor "ftpsesame/*" in on $bridge0 proto tcp from any to $bridge0
anchor "ftpsesame/*" out on $bridge0 proto tcp from any to $bridge0
# active
anchor "ftpsesame/*" in on $bridge0 proto tcp from $bridge0 to any
anchor "ftpsesame/*" out on $bridge0 proto tcp from $bridge0 to any
pass in on $bridge0 inet proto tcp from any to $bridge0 port { 20, 21 }
I think the SSH rule is completely fine... so ¿why this low speed?
--
Thanks,
Jordi Espasa Clofent
