我在FreeBSD 9.1上运行一个web和邮件服务器。 系统安装在KVM vServer上。 一切工作正常 – 直到我启用pf(4)。 我的博客变得不合适的慢。 所有其他的stream量也是如此,但这并不令人讨厌。
所以如果有人能告诉我问题可能在哪里,那将是非常好的。
提前致谢!
基准testing/ iperf返回以下结果:
禁用pf:
Client connecting to 109.193.XXX.XXX, TCP port 5001 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 3] local 46.38.XXX.XXX port 31302 connected with 109.193.XXX.XXX port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 15.1 MBytes 12.6 Mbits/sec 启用pf:
------------------------------------------------------------ Client connecting to 109.193.XXX.XXX, TCP port 5001 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 3] local 46.38.XXX.XXX port 61377 connected with 109.193.XXX.XXX port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-18.1 sec 128 KBytes 58.1 Kbits/sec
这是我的pf.conf:
### INTERFACES ### if = "{ em0 }" ### SETTINGS ### set block-policy drop ### PORTS ### tcp_pass = "{ 25 80 465 993}" udp_pass = "{ 25 80 465 993}" icmp_types = "echoreq" ### NORMALISATION ### scrub in all antispoof for $if ### RULES ### block all pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state pass in on $if proto udp to any port $udp_pass keep state pass out quick all keep state # PING # pass in on $if inet proto icmp all icmp-type $icmp_types keep state # TRACEROUTE # pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state
这是rc.conf:… pf_enable =“YES”pf_rules =“/ etc / pf.conf”pflog_enable =“YES”pflog_logfile =“/ var / log / pflog”…
9.0分支似乎对涉及TCP分段卸载的奇怪configuration特别敏感。 这可以通过禁用TSO来“纠正”:
ifconfig em0 -tso