From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 20:40:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D822016A400 for ; Fri, 6 Jul 2007 20:40:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 712BD13C43E for ; Fri, 6 Jul 2007 20:40:20 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (unknown [62.3.210.250]) by smtp.nildram.co.uk (Postfix) with ESMTP id D8B66540E3 for ; Fri, 6 Jul 2007 21:40:15 +0100 (BST) From: "Greg Hennessy" To: "'Pat Maddox'" References: <810a540e0707050222s55a62641je0138e931832e86@mail.gmail.com> <-7932512891363606358@unknownmsgid> <810a540e0707051255w269b7362g576bce5695ba76ab@mail.gmail.com> In-Reply-To: <810a540e0707051255w269b7362g576bce5695ba76ab@mail.gmail.com> Date: Fri, 6 Jul 2007 21:40:17 +0100 Message-ID: <000d01c7c00d$dcb6e4f0$9624aed0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ace/PzqU58cbJBRGR5WLOc7U7t/G/AAy9rIw Content-Language: en-gb x-cr-hashedpuzzle: Ag2L BMuu Dw4F FUeh GOib GWlU HUfy IvGs Ke0d LI8W LvZs Mc/y Oha4 Ph22 TFYS TO/U; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AHAAZQByAGcAZQBzAHUAQABnAG0AYQBpAGwALgBjAG8AbQA=; Sosha1_v1; 7; {CABADE12-A33A-4241-B90E-DDDF0F19C564}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Fri, 06 Jul 2007 20:40:12 GMT; UgBFADoAIABMAG8AcwBpAG4AZwAgAGMAbwBuAG4AZQBjAHQAaQBvAG4AcwAvAHAAZQByAGYAbwByAG0AYQBuAGMAZQAgAHcAaQB0AGgAIABQAEYAIAB0AHUAcgBuAGUAZAAgAG8AbgA= x-cr-puzzleid: {CABADE12-A33A-4241-B90E-DDDF0F19C564} X-Antivirus: avast! (VPS 000754-4, 06/07/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: Losing connections/performance with PF turned on X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 20:40:21 -0000 > > > We're doing some stress testing on our server, > > > > CPU ? Memory ? > > Xeon 3060 (dual core @ 2.4 Ghz) > 2 gigs of ram That's got more than enough grunt, intel gig-e nics, a good recipe for PF success. > I'm not very familiar with pf at this point. It won't take you long, it's very intuitive and more importantly easy to work on after spending time away from a policy. > Here's a snippet of the log: > > pat@~: sudo tcpdump -n -e -ttt -r /var/log/pflog | grep CLIENT > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 281. 491774 rule 2/0(match): block in on em0: CLIENT.56441 > > SERVER.80: . ack 3842266997 win 5080 242815600> > 000117 rule 2/0(match): block in on em0: CLIENT.56456 > SERVER.80: P > 3759758688:3759758883(195) ack 769179073 win 1460 995763116 242815600> > 000007 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: . > ack 2278771587 win 5804 > 000005 rule 2/0(match): block in on em0: CLIENT.56442 > SERVER.80: F > 0:0(0) ack 628 win 5804 > 000111 rule 2/0(match): block in on em0: CLIENT.56437 > SERVER.80: . > ack 21684384 win 2184 Hmmm, rule number two, it's not the default block which is catching these. The default block would match as rule 0/0. What's rule 2 as outputted by pfctl -vvsr ? If I am reading your policy correctly, that's the bruteforce block. Which should only match against SSH not 80/tcp traffic. I would also replace # --- LOOPBACK pass quick on lo0 all with set skip on lo0 > > I reran the benchmarks and monitored the # of entries, we hit 10k > pretty quickly. Kept upping it until we got to 35k which is where we > stopped seeing any returns. We still dropped some connections (99.6% > of requests came back successfully), and the throughput was 3.4 Mbp as > opposed to the 9.8 Mbps we get with the firewall off. Can you repeat the test with scrub commented out ? I've seen scrub cause about a 10-15% hit on throughput, but that was ~800meg/sec versus > 900 meg/sec though multiple em using iperf on a single 2.4 ghz opteron running 6.0. > I'll be doing a lot more testing over the next few days, so I'll have > better info in a couple days...but if you can shed any light on this > I'd really appreciate it. Are the drop logs still matching the same entry after increasing the size of the state table ? As Max has said previously, you could well be hitting a 2MSL issue with the benchmark hardware. Greg > > Pat > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"