From owner-freebsd-questions@FreeBSD.ORG Tue Feb 20 23:29:19 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7012316C7C9 for ; Tue, 20 Feb 2007 23:29:19 +0000 (UTC) (envelope-from pablo.fernandez@rs.com.ar) Received: from mail.reliable.com.ar (mail.lectus-web.com.ar [200.55.63.143]) by mx1.freebsd.org (Postfix) with ESMTP id B1F7A13C4BA for ; Tue, 20 Feb 2007 23:29:18 +0000 (UTC) (envelope-from pablo.fernandez@rs.com.ar) Received: (qmail 2205 invoked by uid 1007); 20 Feb 2007 20:21:55 -0300 Received: from customer123-183-91.iplannetworks.net (HELO plab.bsas.altrs.com.ar) (pablo.fernandez@reliable.com.ar@200.123.183.91) by mail.reliable.com.ar with AES256-SHA encrypted SMTP; 20 Feb 2007 20:21:55 -0300 From: =?iso-8859-1?q?Jos=E9_Pablo_Fern=E1ndez?= Organization: RS To: freebsd-questions@freebsd.org Date: Tue, 20 Feb 2007 20:21:55 -0300 User-Agent: KMail/1.9.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200702202021.55723.pablo.fernandez@rs.com.ar> Subject: PF slowing down file copies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Feb 2007 23:29:19 -0000 Hello, I have a FreeBSD 6.2 acting as router between two LANs and the internet. I = am=20 using PF on it for filtering and I am allowing all the traffic to pass by=20 between the two LANs: pass from $lan0:network to $lan1:network keep state pass from $lan1:network to $lan0:network keep state My problem is that when I copy a file from one network to the other, the fi= rst=20 128KB seems to be copied instantaneously, the second 128KB take more than t= wo=20 minutes and I've seen the third 128KB being copied very rarely. This is usi= ng=20 Secure CoPy. If I copy the file to the router and from the router to the other computer,= it=20 just works. And it seems people copying files with SMB (Window's protocol)= =20 have found the same problem. Any ideas what might be going on? Thanks. =2D-=20 Jos=E9 Pablo Fern=E1ndez pablo.fernandez@rs.com.ar PS: My full firewall configuration: # My interfaces. lan0 =3D "re0" lan1 =3D "re1" wan =3D "fxp0" wan6to4 =3D "stf0" # My me, me and I. me =3D "{(" $lan0 ") (" $lan1 ") (" $wan ")}" # Globally accessable services. mi_tcp_services =3D "{domain ssh http jabber-client sjabber-client jabber-s= erver=20 5901}" mi_udp_services =3D "{domain ssh http jabber-client sjabber-client=20 jabber-server}" # LAN-only accessable services. mi_internal_tcp_services =3D "{ejabberd-admin bacula-fd http-proxy}" mi_internal_udp_services =3D "{}" # The network. lans =3D "{" $lan0 $lan1 "}" lans_network =3D "{" $lan0:network $lan1:network "}" # Hosts that are free to reach the outside world directly. table { plab.bsas.rs.com.ar dejavu.bsas.rs.com.ar } table {} # Available for everybody tcp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}" udp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}" # Making a return of a no-go is better than droping a package because it hi= des=20 the fact that there's a firewall. set block-policy return # No filtering on lo0. set skip on lo # This will normalize and defragment all packages. Filtering will work bett= er=20 and extrange packets will be droped. scrub in # NAT. nat on $wan from to any -> ($wan) # Port forwarding. See below for the assosiatde passing rules. rdr on $wan proto tcp from any to any port 5901 -> dejavu.bsas.rs.com.ar po= rt=20 vnc # Andres' VNC. Pupeno, 2007-02-12 14:50:02. # Temp port forwarding. # None so far. Pupeno, 2007-02-12 14:50:25. # Block everything in, latter allowing some stuff. #block in # Block RFC1918 (private) from the external card, private addresses in the= =20 public internet can't be good. PrivateAddresses =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,=20 10.0.0.0/8 }" #block in quick on $wan from $PrivateAddresses to any #block out quick on $wan from any to $PrivateAddresses # Let the nated hosts go out. pass on $lans from to any keep state # Let the rest access some other services. pass on $lans proto tcp to any port $tcp_for_everybody keep state pass on $lans proto udp to any port $udp_for_everybody keep state # Let me go out. pass out from $me keep state # Let forwarders pass and more importantly, be synproxied, whatever that is= =2E=20 See above for the assosiated rdr (redirection) rules. pass in proto tcp from any to dejavu.bsas.rs.com.ar port vnc synproxy state= #=20 Andres' VNC. Pupeno, 2007-02-12 15:45:16. # Services that should be reached from anywhere (including the LAN). pass in proto tcp to $me port $mi_tcp_services = =20 keep state pass in proto udp to $me port $mi_udp_services = =20 keep state pass in proto {icmp, icmp6} to $me = =20 keep state # Services that should be reached only from the LAN. pass in proto tcp from $lans_network to $me port $mi_internal_tcp_services= =20 keep state #pass in proto udp from $lans_network to $me port $mi_internal_udp_services= =20 keep state # Enable when there are internal udp services. Pupen= o,=20 2007-01-31 18:17:15. # Allow comunication between the two networks. pass from $lan0:network to $lan1:network keep state pass from $lan1:network to $lan0:network keep state