Lucky for you we have 4.8 On Jun 25, 2014 11:05 PM, "Predrag Punosevac" <[email protected]> wrote:
> Zachary Crownover <[email protected]> wrote: > > > Are you able to post your pf.conf? It could be the way you have it > > configured, because I'm using it in numerous systems and don't see any > > degradation in network performance. > > > > Here it is. I had very hard time recalling pre 4.5 syntax :) > > ext_if="em0" > > NoRouteIPs="{127.0.0.0/8, 240.0.0.0/4, 0.0.0.0/8, 169.254.0.0/16}" > table <bruteforce> persist > table <sshguard> persist > > tcp_services = "{ssh, http, https, submission, 8080}" > udp_services = "{domain, ntp}" > > > set limit states 100000 > set block-policy return > set optimization normal > set loginterface egress > set skip on lo > > scrub in all > > # filter rules > block all > block quick from <bruteforce> > block in quick on egress proto tcp from <sshguard> \ > to any port ssh label "ssh bruteforce" > > antispoof quick for { lo } > > block drop in quick from urpf-failed to any > block in on ! lo0 proto tcp to port 6000:6010 > > pass out on $ext_if inet proto tcp from any to any port $tcp_services > keep state > pass out on $ext_if inet proto udp from any to any port $udp_services > pass log on $ext_if inet proto tcp from any to any port ssh \ > flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, \ > overload <bruteforce> flush global) > > > > > > > On Wed, Jun 25, 2014 at 10:21 PM, Predrag Punosevac < > [email protected]> > > wrote: > > > > > I am running > > > > > > backup1# uname -a > > > DragonFly backup1.int.autonlab.org 3.8-RELEASE DragonFly > v3.8.1-RELEASE > > > #16: Mon Jun 16 21:36:15 PDT 2014 > > > [email protected]: > > > /usr/obj/build/home/justin/src/sys/X86_64_GENERIC > > > x86_64 > > > > > > > > > After enabling PF network really slows down to the point that server is > > > unusable. ssh login hangs about a minute. It looks very similar to > this > > > thread > > > > > > > http://serverfault.com/questions/514046/pf-slows-traffic-extremely-down > > > > > > and as a matter of fact I am using em driver. > > > > > > Has anybody else noticed this? > > > > > > Predrag > > > > > > > > > > > > -- > > Sincerely, > > > > Zachary Crownover > > mobile (310) 487-5573 >
