From owner-freebsd-pf@FreeBSD.ORG Tue Nov 4 16:11:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B4591065676 for ; Tue, 4 Nov 2008 16:11:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id DD7E78FC1A for ; Tue, 4 Nov 2008 16:11:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-002-145.pools.arcor-ip.net [88.66.2.145]) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis) id 0MKxQS-1KxOUr3dke-0007wC; Tue, 04 Nov 2008 17:11:14 +0100 Received: (qmail 14445 invoked from network); 4 Nov 2008 16:11:13 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 4 Nov 2008 16:11:13 -0000 From: Max Laier Organization: FreeBSD To: Jeremy Chadwick Date: Tue, 4 Nov 2008 17:11:12 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <491012AE.7000409@adminlife.net> <49106ECF.4080803@adminlife.net> <20081104155043.GA51736@icarus.home.lan> In-Reply-To: <20081104155043.GA51736@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200811041711.12983.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18XQZCOG2/j057++NWofo7sW+i6Kc8pqGDKSUs ayLZ0WKIns7yXfUBmdrwDveOvuDS8nHEI7sK/37FIoeIzkK+H2 steTOzPC/Nu63OG2RgDag== Cc: freebsd-pf@freebsd.org Subject: Re: rdr rule does not work (bad hdr length) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2008 16:11:15 -0000 On Tuesday 04 November 2008 16:50:43 Jeremy Chadwick wrote: > On Tue, Nov 04, 2008 at 04:48:31PM +0100, Matthias Kellermann wrote: ... > > > > Thanks for your explanation, Max. > > > > I've added the following line to /etc/inetd.conf: > > telnet stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 20 > > 192.168.0.10 23 > > > > Works fine! > > > > I've tried the same thing with other protocols (e.g. SSH). Doing an scp > > transfer is really slow this way. Any ideas what could cause this issue? > > (this is not pf related anymore, but perhaps someone has a quick answer). > > Simple: you've created a wonderful, beautiful bottleneck by using netcat > as a form of buffering mechanism. You can tune netcat to your hearts > content, and probably improve things a bit, but you're more or less > screwed (to put it frankly). > > I highly recommend Max's first recommendation. Basically, yes. Userland redirection is a hack. It's easy to setup and will get you going. There are more efficient implementations than netcat - e.g. rinetd from ports. Ultimately, however, if you are looking for throughput without too much impact on the forwarding box etc. ... you must use a different mechanism - such as in-kernel redirection as provided by pf. For that you need a different network layout, however. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News