I don't have any similar issue, but how about trying keep state on the
incoming traffic (which is faster than traversing the whole rule set
every time)?
Joe Barnett wrote:
> To be more specific, with blocking on and selective allowing of
> packets the http/s performance is slowed on the machine in question.
> This is a development server, located on an internal network --
> with some packets from the outside directed to it, namely ssh and
> https.
>
> By "slowed" I mean that pages that usually load almost
> instantaneously will now load in about two seconds. Otherwise, the
> machine appears fully functional.
>
> The network is run of the mill 100Mbs, with no machine more than
> thirty feet or so from the switch (this is a small office). The
> machine is reasonably fast (yikes, that is subjective!), some output
> from dmesg:
>
> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: AMD Athlon(tm) ("AuthenticAMD" 686-class, 256KB L2 cache)
> 1.15 GHz
> cpu0:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
MMX,FXSR,SSE
> cpu0: AMD Powernow: FID
> real mem = 1073262592 (1048108K)
> avail mem = 972726272 (949928K)
>
> The machine is running 3.8 from the CDs, GENERIC kernel, etc.
> pf.conf follows (any critique of the rules and is welcome...):
>
>
########################################################################
#
> # pf.conf -- Pf ruleset
>
########################################################################
#
> # set up some variables
> #
> nic="rl0"
> spoofed="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32
> }" local="192.168.0.0/16"
>
########################################################################
#
> # Scrub all packets by default
> scrub in all
>
########################################################################
#
> # Block all in by default, pass out all by default
> #
> block in all
> pass out all
>
########################################################################
#
> # Block spoofers (this might be redundant...)
> #
> block in quick on $nic from $spoofed
>
########################################################################
#
> # open http/s
> pass in quick proto tcp from $local to $nic port = 80
> pass in quick proto tcp from any to $nic port = 443
>
########################################################################
#
> # And SSH only, no ftp or telnet
> #
> pass in quick proto tcp from any to $nic port = 22
>
########################################################################
#
> # MySQL
> pass in quick proto tcp from $local to $nic port = 3306
>
########################################################################
#
> # SMB shares
> pass in quick proto tcp from $local to $nic port = 139
> pass in quick proto tcp from $local to $nic port = 445
>
########################################################################
#
> # Allow loopback traffic
> #
> pass in quick on lo0 all
>
########################################################################
#
> # Allow local machines to ping
> #
> pass in quick proto icmp from $local to $nic
>
########################################################################
#
> # Allow out all TCP, UDP, and ICMP traffic & keep state on it
> # so that it's allowed back in.
> #
> # tcp
> pass out quick proto tcp from $nic to any keep state
> # udp
> pass out quick proto udp from $nic to any keep state
> # icmp
> pass out quick inet proto icmp from $nic to any keep state
>
########################################################################
#
> # Block office generated SMB broadcast traffic without logging (very
> noisy) (this might also be redundant...)
> #
> block in quick proto udp from any to $nic port = 137
> block in quick proto udp from any to $nic port = 138
>
########################################################################
#
> # just to be safe, end by blocking anything that is left
> #
> block in all
>
> I have another pf.conf I use for testing, which allows all packets
> in and out, only scrubbing them, and performance is significantly
> better with this:
>
>
########################################################################
#
> # Scrub all packets by default
> #
> scrub in all
>
########################################################################
#
> # allow everything
> #
> pass in all
> pass out all
>
> I am hoping there are some glaring issues with my pf.conf, though it
> has been in use and changed only slightly since... since Pf was
> first introduced. Has anyone else noticed such issues lately?
