On Wed, 13 Dec 2006, Charles Sprickman wrote:
Hi all,
I'm running a 6.2-RC1 box (cvsup'd today) that has two broadcom nics. One is
an internal network (nfs) and the other is external.
PF has this rule for all traffic on the private net:
[EMAIL PROTECTED] /home/jails]# pfctl -sr|grep bge1
pass in quick on bge1 inet from 192.168.1.0/24 to any
pass out quick on bge1 inet from any to 192.168.1.0/24
No state since these are "quick" and symmetrical.
Doing something like "ls /usr/ports" will just hang until interrupted. Using
tcp for nfs makes it workable, but very slow.
If I disable pf (pfctl -d), both types of mounts work, and speed is
excellent. I also just found that if I remove the "scrub in all" statement
and change it to "scrub in on bge0", things are fine.
I believe it's a bad idea to run NFS traffic through scrub unless you use
the "no-df" option with it. I just don't scrub my internal network
traffic at all.
I got this from "man pf.conf":
scrub has the following options:
no-df
Clears the dont-fragment bit from a matching IP packet. Some oper-
ating systems are known to generate fragmented packets with the
dont-fragment bit set. This is particularly true with NFS. Scrub
will drop such fragmented dont-fragment packets unless no-df is
specified.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
