Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Feb 2007 20:21:55 -0300
From:      =?iso-8859-1?q?Jos=E9_Pablo_Fern=E1ndez?= <pablo.fernandez@rs.com.ar>
To:        freebsd-questions@freebsd.org
Subject:   PF slowing down file copies
Message-ID:  <200702202021.55723.pablo.fernandez@rs.com.ar>

next in thread | raw e-mail | index | archive | help
Hello,
I have a FreeBSD 6.2 acting as router between two LANs and the internet. I =
am=20
using PF on it for filtering and I am allowing all the traffic to pass by=20
between the two LANs:

pass from $lan0:network to $lan1:network keep state
pass from $lan1:network to $lan0:network keep state

My problem is that when I copy a file from one network to the other, the fi=
rst=20
128KB seems to be copied instantaneously, the second 128KB take more than t=
wo=20
minutes and I've seen the third 128KB being copied very rarely. This is usi=
ng=20
Secure CoPy.
If I copy the file to the router and from the router to the other computer,=
 it=20
just works. And it seems people copying files with SMB (Window's protocol)=
=20
have found the same problem.
Any ideas what might be going on?
Thanks.
=2D-=20
Jos=E9 Pablo Fern=E1ndez
pablo.fernandez@rs.com.ar

PS: My full firewall configuration:

# My interfaces.
lan0    =3D "re0"
lan1    =3D "re1"
wan     =3D "fxp0"
wan6to4 =3D "stf0"

# My me, me and I.
me =3D "{(" $lan0 ") (" $lan1 ") (" $wan ")}"

# Globally accessable services.
mi_tcp_services =3D "{domain ssh http jabber-client sjabber-client jabber-s=
erver=20
5901}"
mi_udp_services =3D "{domain ssh http jabber-client sjabber-client=20
jabber-server}"

# LAN-only accessable services.
mi_internal_tcp_services =3D "{ejabberd-admin bacula-fd http-proxy}"
mi_internal_udp_services =3D "{}"

# The network.
lans =3D "{" $lan0 $lan1 "}"
lans_network =3D "{" $lan0:network $lan1:network "}"

# Hosts that are free to reach the outside world directly.
table <free4> { plab.bsas.rs.com.ar dejavu.bsas.rs.com.ar }
table <free6> {}

# Available for everybody
tcp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}"
udp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}"

# Making a return of a no-go is better than droping a package because it hi=
des=20
the fact that there's a firewall.
set block-policy return

# No filtering on lo0.
set skip on lo

# This will normalize and defragment all packages. Filtering will work bett=
er=20
and extrange packets will be droped.
scrub in

# NAT.
nat on $wan from <free4> to any -> ($wan)

# Port forwarding. See below for the assosiatde passing rules.
rdr on $wan proto tcp from any to any port 5901 -> dejavu.bsas.rs.com.ar po=
rt=20
vnc # Andres' VNC. Pupeno, 2007-02-12 14:50:02.
# Temp port forwarding.
# None so far. Pupeno, 2007-02-12 14:50:25.

# Block everything in, latter allowing some stuff.
#block in

# Block RFC1918 (private) from the external card, private addresses in the=
=20
public internet can't be good.
PrivateAddresses =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,=20
10.0.0.0/8 }"
#block in  quick on $wan from $PrivateAddresses to any
#block out quick on $wan from any to $PrivateAddresses

# Let the nated hosts go out.
pass on $lans from <free4> to any keep state
# Let the rest access some other services.
pass on $lans proto tcp to any port $tcp_for_everybody keep state
pass on $lans proto udp to any port $udp_for_everybody keep state

# Let me go out.
pass out from $me keep state

# Let forwarders pass and more importantly, be synproxied, whatever that is=
=2E=20
See above for the assosiated rdr (redirection) rules.
pass in proto tcp from any to dejavu.bsas.rs.com.ar port vnc synproxy state=
 #=20
Andres' VNC. Pupeno, 2007-02-12 15:45:16.

# Services that should be reached from anywhere (including the LAN).
pass in proto tcp                     to $me port $mi_tcp_services         =
 =20
keep state
pass in proto udp                     to $me port $mi_udp_services         =
 =20
keep state
pass in proto {icmp, icmp6}           to $me                               =
 =20
keep state
# Services that should be reached only from the LAN.
pass in proto tcp from $lans_network  to $me port $mi_internal_tcp_services=
=20
keep state
#pass in proto udp from $lans_network to $me port $mi_internal_udp_services=
=20
keep state             # Enable when there are internal udp services. Pupen=
o,=20
2007-01-31 18:17:15.

# Allow comunication between the two networks.
pass from $lan0:network to $lan1:network keep state
pass from $lan1:network to $lan0:network keep state



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702202021.55723.pablo.fernandez>