Ste*_*fen 6 freebsd firewall pf
I am running a web and mail server on FreeBSD 9.1. The system is installed on a KVM vServer. Everything works fine - until I enable pf(4). My weblog becomes unconscionably slow. So does all the other traffic, but this is not that annoying.
So it would be great if someone can tell me where the problem might be.
Thanks in advance!
A test with benchmarks/iperf returns the following results:
Disabled pf:
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 31302 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 15.1 MBytes 12.6 Mbits/sec
Enabled pf:
------------------------------------------------------------
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 61377 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-18.1 sec 128 KBytes 58.1 Kbits/sec
This is my pf.conf:
### INTERFACES ###
if = "{ em0 }"
### SETTINGS ###
set block-policy drop
### PORTS ###
tcp_pass = "{ 25 80 465 993}"
udp_pass = "{ 25 80 465 993}"
icmp_types = "echoreq"
### NORMALISATION ###
scrub in all
antispoof for $if
### RULES ###
block all
pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state
# PING #
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
# TRACEROUTE #
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state
This is rc.conf: ... pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" ...
9.0 分支似乎对涉及 TCP 分段卸载的奇怪配置特别敏感。这可以通过禁用 TSO 来“纠正”:
ifconfig em0 -tso
| 归档时间: |
|
| 查看次数: |
1878 次 |
| 最近记录: |