Re: Internet slowdown when pf is enabled? Running on i386 -current
thanks alot. I've created a new rulesets for my pf.conf, and it improves so much. :) On Thu, 27 Sep 2007 06:04:49 +0100, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/09/27 11:51, Reza Muhammad wrote: >> > On Wed, 26 Sep 2007 11:37:28 -0700, "Can E. Acar" > <[EMAIL PROTECTED]> >> > wrote: >> >> Reza Muhammad wrote: >> ... >> > also >> > >> > There is a lot of external broadcast traffic they are probably the > cause >> > of >> > the large number of state insertions/deletions. They are either a > badly >> > designed >> > p2p/broadcast/whatever protocol, or the result of the worm/malware of >> > the month. >> > >> > Can you add >> > >> > block drop in quick on sis0 all >> > >> > at the start of your ruleset? This way the external traffic does not >> > create states at all. >> > >> > Can >> > >> > >> >> Actually I've been noticing that my ISP has been broadcasting a lot of >> things since I've been using them. >> For example, I would get this type of message in /var/log/message all > the >> time: >> Sep 27 10:10:25 blowfish /bsd: arp: attempt to overwrite entry for >> 192.168.1.1 on lo0 by 00:02:6f:3e:14:59 on sis0 >> >> Anyway, about the ruleset, since I'm also running a web server, and mail >> server on this box, I shouldn't use block quick right? > > Ok, in that case, > > block in on sis0 > pass in on sis0 to port {http, smtp} > > etc.
Re: Internet slowdown when pf is enabled? Running on i386 -current
On 2007/09/27 11:51, Reza Muhammad wrote: > > On Wed, 26 Sep 2007 11:37:28 -0700, "Can E. Acar" <[EMAIL PROTECTED]> > > wrote: > >> Reza Muhammad wrote: > ... > > also > > > > There is a lot of external broadcast traffic they are probably the cause > > of > > the large number of state insertions/deletions. They are either a badly > > designed > > p2p/broadcast/whatever protocol, or the result of the worm/malware of > > the month. > > > > Can you add > > > > block drop in quick on sis0 all > > > > at the start of your ruleset? This way the external traffic does not > > create states at all. > > > > Can > > > > > > Actually I've been noticing that my ISP has been broadcasting a lot of > things since I've been using them. > For example, I would get this type of message in /var/log/message all the > time: > Sep 27 10:10:25 blowfish /bsd: arp: attempt to overwrite entry for > 192.168.1.1 on lo0 by 00:02:6f:3e:14:59 on sis0 > > Anyway, about the ruleset, since I'm also running a web server, and mail > server on this box, I shouldn't use block quick right? Ok, in that case, block in on sis0 pass in on sis0 to port {http, smtp} etc.
Re: Internet slowdown when pf is enabled? Running on i386 -current
> On Wed, 26 Sep 2007 11:37:28 -0700, "Can E. Acar" <[EMAIL PROTECTED]> > wrote: >> Reza Muhammad wrote: ... > also > > There is a lot of external broadcast traffic they are probably the cause > of > the large number of state insertions/deletions. They are either a badly > designed > p2p/broadcast/whatever protocol, or the result of the worm/malware of > the month. > > Can you add > > block drop in quick on sis0 all > > at the start of your ruleset? This way the external traffic does not > create states at all. > > Can > > Actually I've been noticing that my ISP has been broadcasting a lot of things since I've been using them. For example, I would get this type of message in /var/log/message all the time: Sep 27 10:10:25 blowfish /bsd: arp: attempt to overwrite entry for 192.168.1.1 on lo0 by 00:02:6f:3e:14:59 on sis0 Anyway, about the ruleset, since I'm also running a web server, and mail server on this box, I shouldn't use block quick right? Rather block in quick on sis0 all, then open up the ports that I need to use? Or am I missing the point? Thanks.
Re: Internet slowdown when pf is enabled? Running on i386 -current
On 2007/09/27 10:16, Reza Muhammad wrote: > Here's the log: Can's suggestion to block the incoming packets on sis0 is good. The problem is caused because you receive a lot of junk traffic from your ISP's network. Since OpenBSD 4.1, PF uses 'keep state' by default (this avoids some problems with common rulesets and TCP window scaling) and this is causing a lot of unnecessary states to be created. So I guess before you upgraded, you used a version from before 4.1. > and there's still more. I noticed that the traffic coming in > from 192.168.*.* aren't from my local network. It looks like your ISP has many subnets running over the same physical network.
Re: Internet slowdown when pf is enabled? Running on i386 -current
Here's the log: 10:12:28.738263 UPD ST: all 6 122.200.52.134:22 <- 125.160.128.35:60387 ESTABLISHED:ESTABLISHED [1381080430 + 65535] wscale 0 [3262031687 + 17040] wscale 0 age 3812101632:33:20, expires in 00:00:00, 482:293 pkts, 38584:35992 bytes id: 46facdc5804b creatorid: 2a435432 updates: 3 10:12:28.902894 INS ST: all 17 255.255.255.255:5678 <- 122.200.54.146:5678 NO_TRAFFIC:SINGLE age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13 id: 46facdc581a9 creatorid: 257e0ae9 10:12:29.458559 UPD ST: all 17 255.255.255.255:3259 <- 122.200.50.65:1129 NO_TRAFFIC:SINGLE age 3571779072:45:52, expires in 00:00:00, 5:0 pkts, 270:0 bytes, rule 13 id: 46facdc580f5 creatorid: 257e0ae9 updates: 0 10:12:29.648865 INS ST: all 17 255.255.255.255:5678 <- 192.168.140.248:5678 NO_TRAFFIC:SINGLE age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13 id: 46facdc581aa creatorid: 257e0ae9 all 17 255.255.255.255:5678 <- 192.168.125.120:5678 NO_TRAFFIC:SINGLE age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13 id: 46facdc581ab creatorid: 257e0ae9 10:12:30.173882 UPD ST: all 17 239.255.255.250:1900 <- 192.168.0.1:1900 NO_TRAFFIC:SINGLE age 494275328:34:56, expires in 00:00:00, 7181:0 pkts, 2279289:0 bytes id: 46facdc537f4 creatorid: 2a435432 updates: 12 10:12:30.173947 DEL ST: all 6 122.200.52.134:80 <- 125.160.128.35:49548 FIN_WAIT_2:FIN_WAIT_2 [2274342568 + 65535] wscale 0 [2570619505 + 17040] wscale 0 age 1024067328:26:24, expires in 00:00:00, 6:5 pkts, 1653:645 bytes, rule 15 id: 46facdc580f6 creatorid: 257e0ae9 all 17 255.255.255.255:5678 <- 192.168.157.58:5678 NO_TRAFFIC:SINGLE age 1024067328:26:24, expires in 00:00:00, 2:0 pkts, 230:0 bytes, rule 13 id: 46facdc580f8 creatorid: 257e0ae9 all 17 255.255.255.255:5678 <- 192.168.93.10:5678 NO_TRAFFIC:SINGLE age 167249408:06:08, expires in 00:00:00, 2:0 pkts, 224:0 bytes, rule 13 id: 46facdc580f9 creatorid: 257e0ae9 all 17 255.255.255.255:5678 <- 192.168.157.52:5678 NO_TRAFFIC:SINGLE age 167249408:06:08, expires in 00:00:00, 2:0 pkts, 210:0 bytes, rule 13 id: 46facdc580fa creatorid: 257e0ae9 10:12:30.173983 DEL ST: all 17 122.200.51.255:138 <- 122.200.51.219:138 NO_TRAFFIC:SINGLE age 60622336:24:48, expires in 00:00:00, 2:0 pkts, 471:0 bytes, rule 13 id: 46facdc580fe creatorid: 257e0ae9 all 17 255.255.255.255:5678 <- 192.168.157.74:5678 NO_TRAFFIC:SINGLE age 60622336:24:48, expires in 00:00:00, 2:0 pkts, 230:0 bytes, rule 13 id: 46facdc580ff creatorid: 257e0ae9 and there's still more. I noticed that the traffic coming in from 192.168.*.* aren't from my local network. On Wed, 26 Sep 2007 17:19:05 +0100, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/09/26 22:32, Reza Muhammad wrote: >> Would a tcpdump log be any helpful at this point? > > maybe; try "ifconfig pfsync0 create" and "tcpdump -nipfsync0 -vvs1000" > >> >> inserts 280924 1221.4/s >> >> removals 280226 1218.4/s > > expect it to scroll pretty damn fast...
Re: Internet slowdown when pf is enabled? Running on i386 -current
Reza Muhammad wrote: > > Hi guys, > > I'm having a problem with my Internet connection in my home network. I > noticed that \ > my Internet connection has been very slow since I upgraded to -current a week > ago. \ > First, I thought it was just my ISP problem. Then, I tried to connect to the > \ > Internet directly from my laptop, it worked fine. Did it happen before the upgrade? What were you running before? > I noticed that the Internet is slowing down when pf is enabled. I changed my > pf.conf \ > to only do nat, and scrub incoming packets, but it is still slow. Here's the > output \ > of 'ping' to the Internet. [snip] > > noticed that the connection is more than 4 times slower? > > # here's my pf settings > [EMAIL PROTECTED]:~% sudo pfctl -sa > TRANSLATION RULES: > nat on sis0 inet from 192.168.1.0/24 to any -> (sis0:0) > > FILTER RULES: > scrub in all fragment reassemble > pass in all flags S/SA keep state > pass out all flags S/SA keep state > No queue in use > [snip] > > my home network is on 192.168.1.0/24, but I see a lot of connections with > state \ > NO_TRAFFIC:SINGLE that are from other networks (I'm assuming they are coming > from my \ > ISP's network). Can someone help me out here? Would hardware be the problem? > I just \ > thought that if the network card was broken, it should just not work right? > Rather \ > than the connection being slower? Anyway, let me just post my dmesg also There is a lot of external broadcast traffic they are probably the cause of the large number of state insertions/deletions. They are either a badly designed p2p/broadcast/whatever protocol, or the result of the worm/malware of the month. Can you add block drop in quick on sis0 all at the start of your ruleset? This way the external traffic does not create states at all. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Internet slowdown when pf is enabled? Running on i386 -current
On 2007/09/26 22:32, Reza Muhammad wrote: > Would a tcpdump log be any helpful at this point? maybe; try "ifconfig pfsync0 create" and "tcpdump -nipfsync0 -vvs1000" > >> inserts 280924 1221.4/s > >> removals 280226 1218.4/s expect it to scroll pretty damn fast...
Re: Internet slowdown when pf is enabled? Running on i386 -current
I know it's weird that's why I posted this in the first place :P anyway, the OpenBSD gateway is running web server (apache+php), and mail server (postfix+dovecot). The thing is, it doesn't seem there are alot of connections from those daemons. and like i said before, if i tried to connect to the Internet directly from my laptop, the connection is fine. Would a tcpdump log be any helpful at this point? Thanks for replying though. On Wed, 26 Sep 2007 15:55:21 +0200, knitti <[EMAIL PROTECTED]> wrote: > On 9/22/07, Reza Muhammad <[EMAIL PROTECTED]> wrote: >> I'm having a problem with my Internet connection in my home network. I > noticed that my Internet connection has been very slow since I upgraded to > -current a week ago. First, I thought it was just my ISP problem. Then, I > tried to connect to the Internet directly from my laptop, it worked fine. > >> >> I noticed that the Internet is slowing down when pf is enabled. I > changed my pf.conf to only do nat, and scrub incoming packets, but it is > still slow. >> State Table Total Rate >> current entries 698 >> searches 448763619511.5/s >> inserts 280924 1221.4/s >> removals 280226 1218.4/s > > I don't know what kind of traffic you have on your box, but these > numbers look strange. > I see on various firewalls between 0.1 and 5% of that with some simple > rulesets and > NAT. These are DSL links, both asymmetric and symmetric. > > If you are really only doing NAT, something is strange. > > greetings, > knitti