rdr rule does not work (bad hdr length)
Max Laier
max at love2party.net
Tue Nov 4 08:11:15 PST 2008
On Tuesday 04 November 2008 16:50:43 Jeremy Chadwick wrote:
> On Tue, Nov 04, 2008 at 04:48:31PM +0100, Matthias Kellermann wrote:
...
> >
> > Thanks for your explanation, Max.
> >
> > I've added the following line to /etc/inetd.conf:
> > telnet stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 20
> > 192.168.0.10 23
> >
> > Works fine!
> >
> > I've tried the same thing with other protocols (e.g. SSH). Doing an scp
> > transfer is really slow this way. Any ideas what could cause this issue?
> > (this is not pf related anymore, but perhaps someone has a quick answer).
>
> Simple: you've created a wonderful, beautiful bottleneck by using netcat
> as a form of buffering mechanism. You can tune netcat to your hearts
> content, and probably improve things a bit, but you're more or less
> screwed (to put it frankly).
>
> I highly recommend Max's first recommendation.
Basically, yes. Userland redirection is a hack. It's easy to setup and will
get you going. There are more efficient implementations than netcat - e.g.
rinetd from ports. Ultimately, however, if you are looking for throughput
without too much impact on the forwarding box etc. ... you must use a
different mechanism - such as in-kernel redirection as provided by pf. For
that you need a different network layout, however.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list