> > These 2 problems, are making pf, virtually unusable for our > firewall needs. Hopefully there is a fix for them. >
Have you tried to ifconfig polling for all the em interfaces ? I have recently installed a PF system on 6.1 prerelease with 4 * em + 2 * bge & 80 odd rules, it's not sweating @ ~600 meg/sec being thrown at it. That's with ALTQ compiled in but not used in the policy at present. Unless you are using synproxy I would suggest getting rid of set state-policy if-bound and stick with the default of floating. Are all your stateful tcp rules using flags S/SA to establish state ? Are you running out of state table entries ? The default is 10k, tracking it with pfctl -si will tell you. With nearly 400 firewall rules, I would suggest that there's scope for reviewing order and the judicious use of quick to trim the policy into something more manageable. Greg _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
