psync for sshguard table sync on several hosts

[Zeus Panchenko]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

please advise

I think of pfsync-ing sshguard table content among several hosts to get
one big table on each host, since IP blocked on one host I want to be
blocked on all others automatically (all hosts are terminated in one
VPN) ...

am I correct to consider psync as right way to get that?

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlf9KHEACgkQr3jpPg/3oyojOwCgpZbc04rwL41LIIDaVDPgR7Vi
G8QAoOP5wj87qh4JpT7NePGvnZBbplp2
=NSkz
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Slow NAT on 10.3-RELEASE

[Kristof Provost]

On 11 Oct 2016, at 10:34, Kamil Choudhury wrote:
I've seen some mention of checksum issues on NAT limiting performance, 
but that
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon 
an actual

problem, or have I misconfigured something?

It’s worth trying the workaround (i.e. disable all checksum offloading 
on your

interfaces).

I’ve had at least one bug report indicating that the checksum patch is 
not 100%

correct, but I’ve not had the time to investigate that in-depth.

What virtualisation system are you using?

Regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Slow NAT on 10.3-RELEASE

[Kamil Choudhury]

Hey freebsd-pf: 

I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1 to 
the 
internet out of router.vtnet0 using PF. It *works*, but not well: boundary's 
NAT tops out at a blistering 20KBps on a 100Mbps internet connection. 

Here's the topology I'm working with: 

client1.tap0  <--1--> tap1.intermediate1.tap0  <--2--> tap0.boundary.vtnet0 -> 
internet
   .vtnet0-->internet   .vtnet0--> internet
   .vlan0
  |
  +--> jail1 (10.0.0.33)

There are layers of PF firewalls; stripped of all nonsense here are their 
pf.confs:

[client1]
if_ext = "vtnet0"
set skip on lo0
scrub in
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all
pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to any 
keep state (floating)
pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to any 
keep state (floating)

[intermediate]
if_ext = "vtnet0"
set skip on lo0
scrub in
pass in all
pass out all
pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any 
keep state (floating)
pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to any 
keep state (floating)

[boundary]
if_ext = "vtnet0"
set skip on lo0
scrub in
rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all

Diagnostics: 

iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out 
configuration issues on Links 1 and 2. 

All hosts can ping everyone, and ping packets to the internet from jail1 go 
out the door to the internet from boundary1. It looks, therefore, like routing
is set up correctly as well on all the hosts. 

All of these hosts are virtualized on Vultr (haven't tried on DO or EC2). 

Links 1 and 2 are OpenVPN connections, FWIW.

I've seen some mention of checksum issues on NAT limiting performance, but that 
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an 
actual 
problem, or have I misconfigured something? 

Thanks in advance, 
Kamil
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"