Re: pf synproxy slowdown
On Fri, Nov 09, 2012 at 05:40:16AM +, Anders N. wrote: A> Hi. I've got a server running pf that has been displaying some odd (at least to me) behavior. A> A> I use the "synproxy state"[1] option quite a few times in my config without any ill effects that I've noticed until now. I realized it was on every open port except for ssh, so I added it to my ssh line: A> A> pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state A> A> After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th the speed I usually do from the server with it enabled there. Remove it, speed goes back to normal. I'm using synproxy state with some other other services that send large amounts of data very quickly (http, torrents, etc) and none of them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's the rest of my pf.conf, if it matters: This is because synproxy module doesn't know which TCP extensions does the backend TCP stack supports, thus announces none to the remote peer. Connection created via synproxy rule will not support neither window scaling, nor SACK, nor timestamps. Obviously, this results in bad performance. -- Totus tuus, Glebius. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
pf synproxy slowdown
Hi. I've got a server running pf that has been displaying some odd (at least to
me) behavior.
I use the "synproxy state"[1] option quite a few times in my config without any
ill effects that I've noticed until now. I realized it was on every open port
except for ssh, so I added it to my ssh line:
pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state
After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th
the speed I usually do from the server with it enabled there. Remove it, speed
goes back to normal. I'm using synproxy state with some other other services
that send large amounts of data very quickly (http, torrents, etc) and none of
them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's
the rest of my pf.conf, if it matters:
ext_if = "bge0"
set block-policy drop
scrub in all
block in all
block in quick on $ext_if from any to 255.255.255.255
pass out on $ext_if from any to any
pass out keep state
set skip on lo0
block in quick from urpf-failed
antispoof quick for $ext_if
block in from no-route to any
block drop in log (all) quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12,
255.255.255.255/32 } to any
block drop out log (all) quick on $ext_if from any to { 10.0.0.0/8,
172.16.0.0/12, 255.255.255.255/32 }
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $IP port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $IP port flags S/SA synproxy state
I'm not on the list, so please CC me if it's not too much trouble.
[1] http://www.openbsd.org/faq/pf/filter.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
