Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Aug 2003 01:16:21 -0700
From:      Peter Losher <>
Subject:   piping killing performance on 5.1-REL-p2
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi - 

On several of our servers that provide name service to the local network, 
we normally have pipes in our ipfw/ipfw2 rules as such:

add     pipe 1          udp     from any to any 53 in
pipe 1  config  mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3
add     pipe 2          tcp     from any to any 53 in
pipe 2  config  mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3

to make sure outsiders don't slam us too hard, etc... This setup has worked 
fine for us in the past under 4.x, but we have now turned up our first 
5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are 
killing the response times.  dig queries that normally take a couple of 
milliseconds from another host on the same subnet now take 40-50 
milliseconds.  Remove the rules, and the response time goes back 
down to a couple of milliseconds.   Note that this same configuration on a 
4.x system shows very little degradation with the pipes on-line.

Has the syntax changed between ipfw and ipfw2, and have others experienced 
this "slowness" issue.  (I looked in the archives beforehand)

Best Wishes - Peter
-- | ISC | OpenPGP 0xE8048D08 | "The bits must flow"

Want to link to this message? Use this URL: <>