Hello!
I recently upgraded a friend's computer to 8.2-STABLE and
we are noticing some network performance problems...
In particular, when a large file is being uploaded outside
(via scp), two weird things happen:
1. Although it begins with a transfer rate of over 2Mb/s
(as reported by scp itself), it quickly drops down to
10-15Kb/s and even completely stalls on occasion.
2. natd can be seen (in top) as chewing up an entire CPU
(one of the four 1.8GHz Opterons).
Although the first problem can be explained by some sort of attempts
by an ISP to throttle long large file-transfers, I don't have an
easy explanation for the second...
If I flush the ipfw-rules, the natd disappears from top's list and
the transfer speeds up to about 260Kb/s (still nowhere near the
initial 2Mb/s, but much higher than the 10-15Kb/s).
There are two network cards in the machine: nfe0 (external) and bge0
(internal). There is no IPv6 in the picture (world is built with
NO_INET6).
The daemon is running as:
/sbin/natd -redirect_port tcp natasha:ssh 23 -redirect_port tcp
isp.mail.ser.ver:smtp 2525 -dynamic -n nfe0
The ipfw rules are derived from the "simple" firewall:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from 192.168.1.0 to any in via nfe0
00500 deny ip from any to 10.0.0.0/8 via nfe0
00600 deny ip from any to 172.16.0.0/12 via nfe0
00700 deny ip from any to 192.168.0.0/16 via nfe0
00800 deny ip from any to 0.0.0.0/8 via nfe0
00900 deny ip from any to 169.254.0.0/16 via nfe0
01000 deny ip from any to 192.0.2.0/24 via nfe0
01100 deny ip from any to 224.0.0.0/4 via nfe0
01200 deny ip from any to 240.0.0.0/4 via nfe0
01300 deny ip from not one.special.foreign.ip to any dst-port 2525
01400 divert 8668 ip4 from any to any via nfe0
01500 deny ip from 10.0.0.0/8 to any via nfe0
01600 deny ip from 172.16.0.0/12 to any via nfe0
01700 deny ip from 192.168.0.0/16 to any via nfe0
01800 deny ip from 0.0.0.0/8 to any via nfe0
01900 deny ip from 169.254.0.0/16 to any via nfe0
02000 deny ip from 192.0.2.0/24 to any via nfe0
02100 deny ip from 224.0.0.0/4 to any via nfe0
02200 deny ip from 240.0.0.0/4 to any via nfe0
02300 allow tcp from any to any established
02400 allow ip from any to any frag
02500 allow tcp from any to me dst-port 22 setup
02600 allow tcp from any to me dst-port 25 setup
02700 allow tcp from any to me dst-port 53 setup
02800 allow udp from any to me dst-port 53
02900 allow udp from me 53 to any
03000 allow tcp from any to me dst-port 80 setup
03100 allow tcp from any to me dst-port 2875-3000 setup
03200 deny log logamount 100 ip4 from any to any in via nfe0 setup
proto tcp
03300 allow tcp from any to any setup
03400 allow udp from me to any dst-port 53 keep-state
03500 allow udp from me to any dst-port 123 keep-state
Please, advise. Thanks! Yours,
-mi
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
