--3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote: > Hi again, >=20 > Disabling pf definitely makes samba file transfers move faster (the > speed varies quite a bit, but everything's faster than the single kilobyt= es > per second I was seeing previously), but I'm perplexed about what's causi= ng > the slowdown. There's certainly some cruft in my pf.conf (below), but I'm > not sure what might be strangling my LAN. Can anyone set me straight? In general, check which rules are matched most with 'pfctl -vvs rules|less'. Put the rules that are matched most first in the ruleset, adding the 'quick' keyword where possible. There is a FAQ on the OpenBSD site about pf, but it pertains to a newer version than is available in FreeBSD! > /etc/pf.conf: > # macros > int_if =3D "em0" > wifi_if =3D "wlan0" > ext_if =3D "nfe0" >=20 > nat_opt =3D "192.168.0.5" # Windows box > nat_cu =3D "192.168.0.1" # server >=20 > tcp_services =3D "{ 22 }" > icmp_types =3D "echoreq" =20 > priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" You might want to replace this by a table. It's supposed to be faster; table <priv_nets> const { 127/8, 192.168/16, 172.16/12, 10/8 } > # options You could try and use ruleset optimization; set ruleset=E2=80=90optimization profile > set block-policy return > set loginterface $ext_if > set skip on lo >=20 > # scrub > scrub in >=20 > # nat/rdr > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat on $ext_if from $wifi_if:network to any -> ($ext_if) > rdr on $ext_if proto tcp from any to any port 22 -> $nat_cu > rdr on $ext_if proto tcp from any to any port 6881:6999 -> $nat_opt > rdr on $ext_if proto tcp from any to any port 34567:34575 -> $nat_cu > rdr on $ext_if proto tcp from any to any port 993 -> $nat_opt >=20 > # filter rules > block in log Try block in log label "inblock" Adding labels to your rules aids you in determining which ones are matched, with 'pfctl -vvs labels' > pass out keep state I think keeping state is the default now. > antispoof quick for { lo $int_if } >=20 > pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services > flags S/SA keep state >=20 > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets Use table syntax in combination with the table defined above; block drop in quick on $ext_if from <priv_nets>to any block drop out quick on $ext_if from any to <priv_nets> > pass in inet proto icmp all icmp-type $icmp_types keep state You might want to think about added the "quick" keyword to the following fo= ur rules. > pass in on $ext_if inet proto tcp from any to $nat_cu port $tcp_services > flags S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_cu port 34567:34575 fl= ags > S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_opt port 6881:6999 fla= gs > S/SA synproxy state > pass in on $ext_if inet proto tcp from any to $nat_opt port 993 flags S/SA > synproxy state If you have a lot of traffic on the following two rules, put them at the to= p of the filter rules. Then they will be evaluated first and not the rest of the rules. You might also consider adding them to 'set skip'. > pass in quick on $int_if > pass in quick on $wifi_if Enlarging the buffer sizes for the BPF device might help as well; sysctl net.bpf.bufsize=3D65536 sysctl net.bpf.maxbufsize=3D524288 Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iEYEARECAAYFAkwzauMACgkQEnfvsMMhpyX/egCfdUO+ANCCNLOi7wjL6ePXYPut Pr4AnixsDHlBDacrcxL2tCc142hwRcLZ =XxsZ -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--