On Fri, 17 Dec 2010 15:19:30 +0100
Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> On Fri, Dec 17, 2010 at 01:57:48PM +0000, Gerard Lally wrote:
> > Yes I did increase that substantially.
>
> how much ?
I tried increasing it from the default 2048, first to 16384 and then to
32768.
I also tried tuning TCP in /etc/sysctl.conf:
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
But the same thing happened all the time - mbuf usage climbed and
climbed until the system froze.
> > it helped, but eventually the
> > system still froze.
>
> what is your config ?
I took the queueing section directly
from /usr/share/examples/pf/faq-example2
cat /etc/rc.conf
named=YES # caching only
pf=YES
pflogd=YES
altqd=NO # all altq options compiled
# into kernel
defaultroute=192.168.1.254
ifconfig_ral0=192.168.1.40
ifconfig_bge0=172.16.1.40 # options GATEWAY compiled into
# kernel
cat resolv.conf
nameserver 127.0.0.1
cat /etc/pf.conf
# Macros
ext_if="ral0"
int_if="bge0"
mypc="172.16.1.50"
local_net="172.16.1.0/24"
ssh_ports="{ 22 2022 }"
im_ports="{ 1863 5190 5222 }"
# Tables
#table <spamd-white> persist
# Options
# set optimization aggressive
set skip on lo
# Traffic normalization
scrub in on $ext_if all fragment reassemble
# scrub out on $ext_if max-mss 1440
# Queueing
# enable queueing on the external interface to control traffic going to
# the Internet. use the priq scheduler to control only priorities. set
# the bandwidth to 112Kbps to get the best performance out of the TCP
# ACK queue.
altq on ral0 priq bandwidth 112Kb queue { std_out, ssh_im_out, dns_out,
\ tcp_ack_out }
# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 1Mbps.
altq on bge0 cbq bandwidth 1Mb queue { std_in, ssh_im_in, dns_in,
mypc_in }
# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# mypc_in - bandwidth reserved for my workstation. Allow me to
# borrow.
queue std_in bandwidth 0.8Mb cbq(default)
queue ssh_im_in bandwidth 80Kb priority 4
queue dns_in bandwidth 70Kb priority 5
queue mypc_in bandwidth 50Kb cbq(borrow)
# Translation (NAT)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $local_net to any -> $ext_if
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
anchor "ftp-proxy/*"
# Packet filtering
block in on $ext_if all
pass in on $ext_if inet proto icmp all icmp-type 8 code 0
block out on $ext_if all
pass out on $ext_if inet proto tcp from any to any \
queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp icmp } from any to any
pass out on $ext_if inet proto { tcp udp } from any to any port 53 \
queue dns_out
pass out on $ext_if inet proto tcp from any to any port $ssh_ports \
queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from any to any port $im_ports \
queue(ssh_im_out, tcp_ack_out)
block in on $int_if all
pass in on $int_if from $local_net to any
block out on $int_if all
pass out on $int_if from any to $local_net
pass out on $int_if proto { tcp udp } from any port domain to
$local_net queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $local_net \
queue ssh_im_in
pass out on $int_if from any to $me queue me_in
antispoof quick for { lo $int_if }
--
Gerard Lally
Attachment:
signature.asc
Description: PGP signature