From owner-freebsd-pf@freebsd.org Wed May 27 19:23:21 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8A5B42CCE2B for ; Wed, 27 May 2020 19:23:21 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XLMr5bktz40PS for ; Wed, 27 May 2020 19:23:20 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id CC99D5C012E for ; Wed, 27 May 2020 15:14:57 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 15:14:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:date:from:to:subject:content-type; s= fm3; bh=lP0pWMYRuSQUtAZcNJkGXCPaW5E0sZLvdvBQ/fGPDPo=; b=l9/42UMM +hWiTUL5WsbM4KeDl1Ls9KPvkXOX9GMWIi8l2fr2FXl1YygsL2JQ2Hf12tUJEK83 m3ucGCN1aI4/z4PBMeBcRmr6wmYStJem6CygJNV14yC0+uLIYrCd81Hjt1Z/K7HJ edcWE/kQbuWDFOlebmxIAEkYkzj/I8c+Py4aYxdhOZxrClF2lfl8IFgAe1Tp4nSZ o18AJ/jwYO7CY0u41FExlJzfC2qjrCu2JCmDHig5+vlcbJYY5/HUqNzlHlWe/OaL Ue2ZVPInvbSwoLrgGXlxf506K5FbTM9vaSPidMD42LirRGRk30teJdDQHb7K5NQ9 XVKjGtGT0TMn3g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=lP0pWMYRuSQUtAZcNJkGXCPaW5E0s ZLvdvBQ/fGPDPo=; b=aV9OI8z7K4i23L52yZxkckr661bhLsnAN+o3viqW05zWJ 3mmARgLTr6Bc7VUTn16X1LyYlSalg+iiLIWZ4n2JE8z1f86TWEvJSALtdB2hzhEM XAh3e1tUgcnby49U6rlvVPbeq1rnNu+94+Ga19ohOUX/Tyni8mlk2RCYVn4x0dvu Ta5pv57MVBKNlbQNuC6eA6RAsrvu3smAIz+yJwkM6M1jWPIGet4O3ynzudmaDxZK fkSHTB02RIyeOCxV/I1HbGY/u4N/oz9ons3MmQGAYrnsBSjnWoiySjw+ELsEmhKT bSAi8zAKJrikI2xIfD6B0HXEV2M8KfyxZrUYVd73A== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvgedguddvvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgesrgdtre erreertdenucfhrhhomhepfdffohhnrghlugcuofhitghkuhhnrghsfdcuoegumhhitghk uhhnrghsudelheegsehfrghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepue ffueegveevvdevkeetkedtjeduhfffgfehffduveduleekffeggedtgeekvdegnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughmihgtkhhunh grshduleehgeesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 85DEC3C00A1; Wed, 27 May 2020 15:14:57 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> Date: Wed, 27 May 2020 15:14:10 -0400 From: "Donald Mickunas" To: freebsd-pf@freebsd.org Subject: pkg slow down a lot with simple firewall. X-Rspamd-Queue-Id: 49XLMr5bktz40PS X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=l9/42UMM; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=aV9OI8z7; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 66.111.4.29 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-2.60 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.29:from]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; TO_DN_NONE(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-0.49)[-0.492]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.29:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.035]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.986]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_WWW(0.50)[] Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 19:23:21 -0000 Hi all, I am new to firewalls and trying to learn. I am attempting to set up a pf firewall on FreeBSD 12.1-RELEASE-p5. This is a home computer for personal use and is not part of a server network. "pkg update" will take a minute or more to complete a verification that it is up to date with the firewall on vs. seconds when the firewall is off. I can find no reason for this. I have done a variety of searches online plus in the various forums with zero results. Any ideas? This is a simple firewall. Here is my set up: */etc/pf.conf* set skip on lo0 block all pass in proto tcp to port { 22 } pass out proto { tcp udp } to port { 22 53 80 123 443 } pass out inet proto icmp icmp-type { echoreq } */etc/rc.conf* clear_tmp_enable="YES" sendmail_enable="NONE" hostname="donsoptiplex" keymap="us.kbd" ifconfig_em0="DHCP" ifconfig_em0_ipv6="inet6 accept_rtadv" ntpd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" dbus_enable="YES" hald_enable="YES" autofs_enable="YES" kld_list="/boot/modules/i915kms.ko" sound_load="YES" snda_hda_load="YES" sddm_enable="NO" cupsd_enable="YES" devfs_system_ruleset="system" pf_enable="YES" pflog_enable="YES" Thanks!! From owner-freebsd-pf@freebsd.org Wed May 27 20:22:43 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 620A92CDC9B for ; Wed, 27 May 2020 20:22:43 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49XMhL38h1z44x9 for ; Wed, 27 May 2020 20:22:42 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ej1-x641.google.com with SMTP id o15so8233092ejm.12 for ; Wed, 27 May 2020 13:22:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=H+fKpXw1bfGpslAMQIl0c4b9EXXvNpaNu6Mw1PRm+ZE=; b=W01UfyLfJld6JzcQ8S0VfEWyKZ6V9nG8GPhDEml35RKSbQeIfvgQzbnlEFyo1jvWwH zczInATWz09Wc8k+Yy+rKNGCnY3udsxs9qs8KymgLfAHW/85YbXx9v9ZoANqZmq8HLVQ v2N1wIay0tKa2wHtN+Ky+YElsEYtdjtNMvNcT7S3Ag55d15WMCC8k681niSXBDK58QiA fJbTrpo8YWMv+wM4AAJ6e3GkBrt17U29/9IidGHm4mGtwwKkH3t8MFcZQSmms2T/pfHT wH1FDnNcVMMdQjkdcdBPwv81ytU1NX4rGW4xKexvO1NCiSK1jJY8IfAD+6f56CCFllZD Zjig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=H+fKpXw1bfGpslAMQIl0c4b9EXXvNpaNu6Mw1PRm+ZE=; b=Wbio3RKOwOHRcByLdeJbgUOuX04pD8RyqekW0ioest4b/+RtzOeo0K6cc50sCxQnUX KWa654AQWRJ0RAi9hU6bkT3wRKGqSATOohT97PNE5zpeh/92NRI15n2s8mUBoHF75t4I wqB3F9tBhDYqsDDXbYhx0TuEXxMk7mQGZZiFdACzJ5GK7lFl2yDEgSmhyq8QusloleBL 7qIKgXSWo1TRzHC7Quu+r62ZCyquU1onv/vMeblNexx7YR7D4XGmAkdrpy2tdqslyGld YR3mfPS7NoK04ZAJ9Z4HFUby7ua+toN6ep+Q51u3U+uZW4VTU5TtJmjnabm3myYlsSOt qYtQ== X-Gm-Message-State: AOAM531rLx9KWZtLipbaH1ttJyix7HNXCIjGc+CqsKHgUdarTuz6oXsO k4URhl+lZXZ63b4keScVg3i0opGde7FDHdIiYw== X-Google-Smtp-Source: ABdhPJz1JPSbXc6ik0/8Jdia2SQOjV+eBq61UzoMfHr4kaqBxctZO7MgGCxfGszb7n0d3g5jZyByjjSNc+R4Lnjb4hU= X-Received: by 2002:a17:907:2486:: with SMTP id zg6mr36799ejb.225.1590610960722; Wed, 27 May 2020 13:22:40 -0700 (PDT) MIME-Version: 1.0 References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> In-Reply-To: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> From: Cristian Cardoso Date: Wed, 27 May 2020 17:22:29 -0300 Message-ID: Subject: Re: pkg slow down a lot with simple firewall. To: Donald Mickunas Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XMhL38h1z44x9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=W01UfyLf; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::641 as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.33 / 15.00]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-0.98)[-0.981]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-0.99)[-0.986]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::641:from]; NEURAL_HAM_SHORT(-0.36)[-0.365]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FREEMAIL_TO(0.00)[fastmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 20:22:43 -0000 Hello Try to activate pf logs to see what is blocking or slowing you down, insert this in the /etc/rc.conf file pflog_enable =3D "YES" pflog_logfile =3D "/ var / log / pflog" To view the logs afterwards is via tcpdump, as follows: tcpdump -n -e -ttt -r / var / log / pflog Em qua., 27 de mai. de 2020 =C3=A0s 16:23, Donald Mickunas escreveu: > > Hi all, > > I am new to firewalls and trying to learn. I am attempting to set up a pf= firewall on FreeBSD 12.1-RELEASE-p5. This is a home computer for personal = use and is not part of a server network. "pkg update" will take a minute or= more to complete a verification that it is up to date with the firewall on= vs. seconds when the firewall is off. I can find no reason for this. I hav= e done a variety of searches online plus in the various forums with zero re= sults. Any ideas? > > This is a simple firewall. > Here is my set up: > > */etc/pf.conf* > > set skip on lo0 > block all > pass in proto tcp to port { 22 } > pass out proto { tcp udp } to port { 22 53 80 123 443 } > pass out inet proto icmp icmp-type { echoreq } > > > */etc/rc.conf* > > clear_tmp_enable=3D"YES" > sendmail_enable=3D"NONE" > hostname=3D"donsoptiplex" > keymap=3D"us.kbd" > ifconfig_em0=3D"DHCP" > ifconfig_em0_ipv6=3D"inet6 accept_rtadv" > ntpd_enable=3D"YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev=3D"NO" > dbus_enable=3D"YES" > hald_enable=3D"YES" > autofs_enable=3D"YES" > kld_list=3D"/boot/modules/i915kms.ko" > sound_load=3D"YES" > snda_hda_load=3D"YES" > sddm_enable=3D"NO" > cupsd_enable=3D"YES" > devfs_system_ruleset=3D"system" > pf_enable=3D"YES" > pflog_enable=3D"YES" > > Thanks!! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Wed May 27 21:17:24 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D5A392CF858 for ; Wed, 27 May 2020 21:17:24 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XNvR6Mp7z496J for ; Wed, 27 May 2020 21:17:23 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id C1AD45C00D7; Wed, 27 May 2020 17:17:22 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 17:17:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm3; bh=vxfPX WrtHXWP8q2qoM0HnMOiWpyt1OTvQ6M3VpTSINA=; b=T+ACP3e2HO5NRAyx5AWpC 9CbgC9V5xogbwii0Z/UMPdCtEAjI6Wi5KVOyFE945Xy0vV6pJWMZNhREPy/dXoRj lYEaqgXGGDo09LIP420x0vrS2LqR1BFPGLWFhdaql1cHpKMw09iolXooClP5FXat GQddA7CMhOwT3jLwYaqIRwGBz3Wq0QpVMVh2lXZph8Ze5IQPbegrTmHQl89Gl7qr BU/EuxsiN0RELhwvuE3pXFTTM1Q6J25uvdS99vOwlcGiHvrS0an8OtE9vO5rxNai pyYIfFPtG5cjqhOEB7j5b40L7J7UmkJ5mqvtjXr1AcekkUDYMGVQYJINWAYu3AWk Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=vxfPXWrtHXWP8q2qoM0HnMOiWpyt1OTvQ6M3VpTSI NA=; b=GzKK2HQGjg5cc44nbeAzPFNvF9WwvoAPQ2uGZaboQhKQK4mRAufvZoHpS EgtOp8LuHBNb/Tg0lXZ+E7uQL5xTHHjZfda/KAiDMz7ENsO8yMVnkRt7P9FuemzG /RyRpEfsAxljYSEtlIPh7/xn90ZmUKs004gw5Q2l0hthYBDnZAQZtIwsMP2QR/30 jBR9YHQZSlhi1lxFz826WW/FM/ZOM18X1zDogGmIUNEFm17+pSIxFaqHbwvOu3LQ jEta5JuA+oQZjRfBYvajGMDevg60SBp6Qgi79WdlkG6v0FIBJ+OnyefjFzLnkPSE 0eAI+Ms+f58/+v+G3Lh+1cZ/AZ83g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvgedgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdff ohhnrghlugcuofhitghkuhhnrghsfdcuoegumhhitghkuhhnrghsudelheegsehfrghsth hmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepfeekhfdttedvfeegfedutdetleef tedtgffhffeihfevudfgffeukedvgeffjeeunecuffhomhgrihhnpegtohhnfhdrtggrth dpfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep mhgrihhlfhhrohhmpegumhhitghkuhhnrghsudelheegsehfrghsthhmrghilhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9200E3C00A1; Wed, 27 May 2020 17:17:22 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> In-Reply-To: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> Date: Wed, 27 May 2020 17:16:58 -0400 From: "Donald Mickunas" To: "Cristian Cardoso" Cc: freebsd-pf@freebsd.org Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XNvR6Mp7z496J X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=T+ACP3e2; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=GzKK2HQG; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 66.111.4.25 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-3.49 / 15.00]; XM_UA_NO_VERSION(0.01)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.25:from]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-1.36)[-1.359]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.045]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.994]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 21:17:24 -0000 Thank you for you suggestion, Cristian. I have implemented your suggestion with unexpected results. Note: I did= reboot the system after I changed rc.conf. $ cat /etc/rc.conf clear_tmp_enable=3D"YES" sendmail_enable=3D"NONE" hostname=3D"donsoptiplex" keymap=3D"us.kbd" ifconfig_em0=3D"DHCP" ifconfig_em0_ipv6=3D"inet6 accept_rtadv" ntpd_enable=3D"YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev=3D"NO" dbus_enable=3D"YES" hald_enable=3D"YES" autofs_enable=3D"YES" kld_list=3D"/boot/modules/i915kms.ko" sound_load=3D"YES" snda_hda_load=3D"YES" sddm_enable=3D"NO" cupsd_enable=3D"YES" devfs_system_ruleset=3D"system" pf_enable=3D"YES" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" $ cat /etc/pf.conf set skip on lo0 block all pass in proto tcp to port { 22 } pass out proto { tcp udp } to port { 22 53 80 123 443 } pass out inet proto icmp icmp-type { echoreq } $ ls -l /var/log/pflog -rw------- 1 root wheel 24 May 25 21:51 /var/log/pflog $ sudo pkg update Password: Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. $ sudo pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. $ sudo tcdump -n -e -ttt -r /var/log/pflog sudo: tcdump: command not found $ sudo tcpdump -n -e -ttt -r /var/log/pflog reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) $=20 no output. Did I miss something? Thanks On Wed, May 27, 2020, at 16:22, Cristian Cardoso wrote: > Hello > Try to activate pf logs to see what is blocking or slowing you down, > insert this in the /etc/rc.conf file > pflog_enable =3D "YES" > pflog_logfile =3D "/ var / log / pflog" >=20 > To view the logs afterwards is via tcpdump, as follows: > tcpdump -n -e -ttt -r / var / log / pflog >=20 > Em qua., 27 de mai. de 2020 =C3=A0s 16:23, Donald Mickunas > escreveu: > > > > Hi all, > > > > I am new to firewalls and trying to learn. I am attempting to set up= a pf firewall on FreeBSD 12.1-RELEASE-p5. This is a home computer for p= ersonal use and is not part of a server network. "pkg update" will take = a minute or more to complete a verification that it is up to date with t= he firewall on vs. seconds when the firewall is off. I can find no reaso= n for this. I have done a variety of searches online plus in the various= forums with zero results. Any ideas? > > > > This is a simple firewall. > > Here is my set up: > > > > */etc/pf.conf* > > > > set skip on lo0 > > block all > > pass in proto tcp to port { 22 } > > pass out proto { tcp udp } to port { 22 53 80 123 443 } > > pass out inet proto icmp icmp-type { echoreq } > > > > > > */etc/rc.conf* > > > > clear_tmp_enable=3D"YES" > > sendmail_enable=3D"NONE" > > hostname=3D"donsoptiplex" > > keymap=3D"us.kbd" > > ifconfig_em0=3D"DHCP" > > ifconfig_em0_ipv6=3D"inet6 accept_rtadv" > > ntpd_enable=3D"YES" > > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > > dumpdev=3D"NO" > > dbus_enable=3D"YES" > > hald_enable=3D"YES" > > autofs_enable=3D"YES" > > kld_list=3D"/boot/modules/i915kms.ko" > > sound_load=3D"YES" > > snda_hda_load=3D"YES" > > sddm_enable=3D"NO" > > cupsd_enable=3D"YES" > > devfs_system_ruleset=3D"system" > > pf_enable=3D"YES" > > pflog_enable=3D"YES" > > > > Thanks!! > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org= " > From owner-freebsd-pf@freebsd.org Wed May 27 21:24:43 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8DFC02CFD4F for ; Wed, 27 May 2020 21:24:43 +0000 (UTC) (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info) Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148]) by mx1.freebsd.org (Postfix) with ESMTP id 49XP3t4DG2z49yP for ; Wed, 27 May 2020 21:24:42 +0000 (UTC) (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info) Received: from [10.0.1.251] (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 49XP3l5vMvz2fjWS; Wed, 27 May 2020 14:24:35 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\)) Subject: Re: pkg slow down a lot with simple firewall. From: Doug Hardie In-Reply-To: <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> Date: Wed, 27 May 2020 14:24:35 -0700 Cc: Cristian Cardoso , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> To: Donald Mickunas X-Mailer: Apple Mail (2.3445.104.14) X-Virus-Scanned: clamav-milter 0.101.4 at mail X-Virus-Status: Clean X-Rspamd-Queue-Id: 49XP3t4DG2z49yP X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info designates 71.177.216.148 as permitted sender) smtp.mailfrom=SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info X-Spamd-Result: default: False [-1.83 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FORGED_SENDER(0.30)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:71.177.216.148]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lafn.org: no valid DMARC record]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.98)[-0.978]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.53)[-0.527]; NEURAL_HAM_MEDIUM(-0.93)[-0.927]; FREEMAIL_TO(0.00)[fastmail.com]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US]; FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 21:24:43 -0000 > On 27 May 2020, at 14:16, Donald Mickunas = wrote: >=20 > Thank you for you suggestion, Cristian. >=20 > I have implemented your suggestion with unexpected results. Note: I = did reboot the system after I changed rc.conf. >=20 > $ cat /etc/pf.conf > set skip on lo0 > block all > pass in proto tcp to port { 22 } > pass out proto { tcp udp } to port { 22 53 80 123 443 } > pass out inet proto icmp icmp-type { echoreq } >=20 > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > $=20 >=20 > no output. Did I miss something? You do not have an "log" commands in pf.conf. Add a "log" after "in" or = "out" on each pass line. Then pf will do the logging. -- Doug From owner-freebsd-pf@freebsd.org Wed May 27 21:38:22 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1FF3C2F0428 for ; Wed, 27 May 2020 21:38:22 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XPMd40Wcz4BhB for ; Wed, 27 May 2020 21:38:21 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 3BCA15C012D; Wed, 27 May 2020 17:38:21 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 17:38:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=dcZYsTkERdoY8vFhHJfuiwXijzCMNvn h3JNxd8ExSFM=; b=BuS1BxJQS2Zl+Ah7X4lOI/0OJyOhZdSga+Yl++aaXRzbqsh OGXrK6OWlEcqZ6H7XGWyLV8DLn5LcCDmoNOaBpF/nP2bOydUbgOwezOogQ5MMRzW Qqt+X9oA9wb/uGMJdqtuWg+Uzyx9o7ak6Hms7LoNnP3KQQmlO9GwDFGVm7OTmo5e aut/b8HC3VXNCIknUVHdpCU6CTnVA9WZ8Z+WDRo7Cg7Rc6ms3WQd8zQt06Ldmn1G MDoS2PqXn8XEVirf/1hzQdyRdnvfds2KzVHDdecl7skiaNadkbp84uw8VkpgXEt2 w54rVVnOBg00pGsAlrgAowhtwJjaT8qKyOQ1q9Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=dcZYsT kERdoY8vFhHJfuiwXijzCMNvnh3JNxd8ExSFM=; b=W8SrgECWbredoNTmq4eeZ+ 5lCCrbmizOB2put2kAlfdQ18bUXcL0j174wtXW63e7os46wIkUyNDw9cm7u+x9ER HQakm5u1KuNhTnTrJy2ksTqyggeJnChtXrlXF0QpWbbu7f24RP0RqfdF9zygStN1 Yslr/eUYg8AdnQ3pzzixkD6UfyyIRkxi5n+78pXK0NR0+4f6/m5OU0P9wJxn6RXz VhPcRN4HEOiJnO+Hvz3/OjCUryTxrW1UmqJTKlu5CiYUOiYHy9sRxe0NKx+YN3uv Osfep444Bic2aUW44hVTohD2lYzA8E8JrbC/NjIOlWlS88PZ6neVmJ/WtlYWfGkw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvhecutefuodetggdotefrodftvfcurf hrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffhonhgrlhgu ucfoihgtkhhunhgrshdfuceoughmihgtkhhunhgrshduleehgeesfhgrshhtmhgrihhlrd gtohhmqeenucggtffrrghtthgvrhhnpeeukefgkedufeejiedvudeuhfefveelteduleeu gfeludetueetffevveeiteetieenucffohhmrghinheptghonhhfrdgtrghtnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughmihgtkhhunhgr shduleehgeesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id F26CF3C00A1; Wed, 27 May 2020 17:38:20 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> In-Reply-To: <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> Date: Wed, 27 May 2020 17:38:00 -0400 From: "Donald Mickunas" To: "Doug Hardie" Cc: "Cristian Cardoso" , freebsd-pf@freebsd.org Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain X-Rspamd-Queue-Id: 49XPMd40Wcz4BhB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=BuS1BxJQ; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=W8SrgECW; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 66.111.4.25 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-3.39 / 15.00]; XM_UA_NO_VERSION(0.01)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25:c]; FREEMAIL_FROM(0.00)[fastmail.com]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.25:from]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-1.25)[-1.246]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.049]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.01)[-1.008]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 21:38:22 -0000 Thanks, Doug. Here are the results after running pkg update once. $ sudo tcpdump -n -e -ttt -r /var/log/pflog Password: reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > 192.168.1.1.53: 18844+[|domain] 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > 192.168.1.1.53: 59873+[|domain] 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 209.94.190.139.123: NTPv4, Client, length 48 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 64.6.144.6.123: NTPv4, Client, length 48 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > 192.168.1.1.53: 49030+[|domain] 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > 192.168.1.1.53: 15101+[|domain] 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > 192.168.1.1.53: 56618+[|domain] 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp] 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 74.6.168.73.123: NTPv4, Client, length 48 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]> 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > 192.168.1.1.53: 30468+[|domain] 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > 192.168.1.1.53: 3978+[|domain] 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp] 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]> 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > 192.168.1.1.53: 2366+[|domain] 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > 192.168.1.1.53: 41713+[|domain] 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp] 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]> $ I have no idea how to interpret this. Any help would be appreciated. On Wed, May 27, 2020, at 17:24, Doug Hardie wrote: > > On 27 May 2020, at 14:16, Donald Mickunas wrote: > > > > Thank you for you suggestion, Cristian. > > > > I have implemented your suggestion with unexpected results. Note: I did reboot the system after I changed rc.conf. > > > > $ cat /etc/pf.conf > > set skip on lo0 > > block all > > pass in proto tcp to port { 22 } > > pass out proto { tcp udp } to port { 22 53 80 123 443 } > > pass out inet proto icmp icmp-type { echoreq } > > > > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > > $ > > > > no output. Did I miss something? > > You do not have an "log" commands in pf.conf. Add a "log" after "in" > or "out" on each pass line. Then pf will do the logging. > > -- Doug > > > From owner-freebsd-pf@freebsd.org Wed May 27 22:18:29 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3933C2F13CD for ; Wed, 27 May 2020 22:18:29 +0000 (UTC) (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info) Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148]) by mx1.freebsd.org (Postfix) with ESMTP id 49XQFw489Zz4G4T for ; Wed, 27 May 2020 22:18:28 +0000 (UTC) (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info) Received: from [10.0.1.251] (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 49XQFv4ctdz2fjWG; Wed, 27 May 2020 15:18:27 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\)) Subject: Re: pkg slow down a lot with simple firewall. From: Doug Hardie In-Reply-To: <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> Date: Wed, 27 May 2020 15:18:27 -0700 Cc: Cristian Cardoso , FreeBSD PF List Content-Transfer-Encoding: quoted-printable Message-Id: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> To: Donald Mickunas X-Mailer: Apple Mail (2.3445.104.14) X-Virus-Scanned: clamav-milter 0.101.4 at mail X-Virus-Status: Clean X-Rspamd-Queue-Id: 49XQFw489Zz4G4T X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info designates 71.177.216.148 as permitted sender) smtp.mailfrom=SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info X-Spamd-Result: default: False [-1.63 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.93)[-0.931]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:71.177.216.148:c]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lafn.org: no valid DMARC record]; FORGED_SENDER(0.30)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info]; NEURAL_HAM_LONG(-0.97)[-0.973]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.33)[-0.328]; FREEMAIL_TO(0.00)[fastmail.com]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US]; FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 22:18:29 -0000 > On 27 May 2020, at 14:38, Donald Mickunas = wrote: >=20 > Thanks, Doug. >=20 > Here are the results after running pkg update once. >=20 > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > Password: > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > = 192.168.1.1.53: 18844+[|domain] > 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > = 192.168.1.1.53: 59873+[|domain] > 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > = 209.94.190.139.123: NTPv4, Client, length 48 > 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > = 64.6.144.6.123: NTPv4, Client, length 48 > 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > = 192.168.1.1.53: 49030+[|domain] > 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > = 192.168.1.1.53: 15101+[|domain] > 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > = 192.168.1.1.53: 56618+[|domain] > 00:00:00.136933 rule 3/0(match): pass out on em0: = 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.60802 > = 2610:1c1:1:606c::50:1.80: [|tcp] > 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > = 74.6.168.73.123: NTPv4, Client, length 48 > 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > = 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss = 1460,nop,wscale 6,sackOK,TS[|tcp]> > 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > = 192.168.1.1.53: 30468+[|domain] > 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > = 192.168.1.1.53: 3978+[|domain] > 00:00:00.000739 rule 3/0(match): pass out on em0: = 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.64864 > = 2610:1c1:1:606c::50:1.80: [|tcp] > 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > = 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss = 1460,nop,wscale 6,sackOK,TS[|tcp]> > 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > = 192.168.1.1.53: 2366+[|domain] > 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > = 192.168.1.1.53: 41713+[|domain] > 00:00:00.000772 rule 3/0(match): pass out on em0: = 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.55684 > = 2610:1c1:1:606c::50:1.80: [|tcp] > 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > = 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss = 1460,nop,wscale 6,sackOK,TS[|tcp]> > $=20 >=20 > I have no idea how to interpret this. Any help would be appreciated. That is quite unexpected. The connection starts out with IPv4 and then = switches to IPv6. It also only shows the output packets so delays = caused at the server end cannot be distinguished. I would recommend = using tcpdump to see the entire transaction.=20 In one window, start tcpdump with: tcpdump -ixxx -ttt -s0 -X port 80 Here you need to replace xxx above with your interface name. You can = find it in the output of ifconfig. It will be the interface that has = your IP address in it. For example, mine is: bge0: flags=3D8943 = metric 0 mtu 1500 = options=3Dc019b ether 38:c9:86:07:3b:5b inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255 inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x1 inet6 fee1::250 prefixlen 64 media: Ethernet autoselect (100baseTX ) status: active nd6 options=3D23 and the interface name is bge0. Then in the second window start the pkg update command. Note, tcpdump = will produce a lot of output. The output will have a time stamp = (hours:minutes:seconds.microseconds). It will be a delta time from the = previous packet. Look for one where the seconds are greater than zero. = That is where the delays are occurring. =20 -- Doug= From owner-freebsd-pf@freebsd.org Thu May 28 00:36:32 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E87782F4877 for ; Thu, 28 May 2020 00:36:32 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49XTKD1r6Mz4Rbd for ; Thu, 28 May 2020 00:36:32 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ej1-x631.google.com with SMTP id k11so4958050ejr.9 for ; Wed, 27 May 2020 17:36:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qiQ2OJr3kxzLDq1JV/pSGbHIDoWORvO1tW9q6aj3xQQ=; b=KAAMYbbs+31wJTN4m9o8bCDNC3g+86dxj3Doww8RL4YTxpYfnPTNmCC32Z00VBus3c HyDLPQ3uKgAiguZ0VvbTsrvNbq2cV5HsVV68ebQQj2k8Hgrv0lx2Td11vIDTqNrH4kPX JnAhw5GYNj9ZEP/n0Z70cPXJPDKfWavZoGYzP9+vIpDYUCawCcJOpE68xVN+l/M2TLoz fO+AGn+T9pqueV+5GIFCPs46jqyoAw6ABoNdTFFPTb9aWvvLN5OIZVfsFqQI2iFAm4IS v7En18FiAT9oFvY26GecGVFk23dDk//2w6/xgE/gNfO3YDNM5isFEugz8R5gIWO5FTUt v05w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qiQ2OJr3kxzLDq1JV/pSGbHIDoWORvO1tW9q6aj3xQQ=; b=hNve2yZ8xUcx1BJ6Y/rlEdeZ69nLH2OfsZtSwoCt11M00V1REXRvIv0EXzLKXf0o6z 90FMfDLv/iSxLvxDWbukk5QSss3MIwEhgDpIBNFc6/V49laIdQGex8A7nzQ4r7/yoGkx BNpxuhdiWBcV7Ja++U0gEOfuXPaunjznbakx8lAoxr6pbuU7/JAtYu+24sCTZhN1JW4g Qo4udcqb4WbKKjdgiq6+8FCeiHWQ8D5m96P52C5GdFJzavKIcJJ72m9j9AAdXTBUfqJt NiUk3zzqtTCDd9CwIQ0vivpvpk6sC98Okk/sIy9M+LBjwEsMVm/5lGF/zKH/ay0mhyKj bbOw== X-Gm-Message-State: AOAM530uKzWFw/efN9B5mO7YwkxymosHRP4UTnYyiheVH9FkLlicQXkR 7ckxt6LF8wT0H/gpvEBy010W8mENtmE19PCx4BypWylYsQ== X-Google-Smtp-Source: ABdhPJz5lHvULx865FY4tQTjrd8ANcEZA58qDjfJFNAmjyR6yoHGAXRtTnOIyxtAYwCwx5PewHIRGwcpXURVm6n6N60= X-Received: by 2002:a17:906:4d18:: with SMTP id r24mr611292eju.222.1590626190626; Wed, 27 May 2020 17:36:30 -0700 (PDT) MIME-Version: 1.0 References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> In-Reply-To: From: Cristian Cardoso Date: Wed, 27 May 2020 21:36:19 -0300 Message-ID: Subject: Re: pkg slow down a lot with simple firewall. To: Doug Hardie Cc: Donald Mickunas , FreeBSD PF List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XTKD1r6Mz4Rbd X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=KAAMYbbs; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::631 as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.73 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.987]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-0.996]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::631:from]; NEURAL_HAM_SHORT(-0.75)[-0.748]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FREEMAIL_CC(0.00)[fastmail.com,freebsd.org] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2020 00:36:33 -0000 I reinforce Doug's recommendation and if you want to log the things that are possibly blocked, insert it in pf.conf block in log all About what Doug talked about starting the connection in IPv4 and switching to IPv6, it is only the DNS request in IPv4 that is managing to answer the domain update.freebsd.org in IPv6, with that the pkg requests come out via IPv6 One thing that helped me a lot in the beginning was this URL: https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5&n=3D1 Em qua., 27 de mai. de 2020 =C3=A0s 19:18, Doug Hardie esc= reveu: > > > On 27 May 2020, at 14:38, Donald Mickunas = wrote: > > > > Thanks, Doug. > > > > Here are the results after running pkg update once. > > > > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > > Password: > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > > 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > 1= 92.168.1.1.53: 18844+[|domain] > > 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > 1= 92.168.1.1.53: 59873+[|domain] > > 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 209= .94.190.139.123: NTPv4, Client, length 48 > > 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 64.= 6.144.6.123: NTPv4, Client, length 48 > > 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > 1= 92.168.1.1.53: 49030+[|domain] > > 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > 1= 92.168.1.1.53: 15101+[|domain] > > 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > 1= 92.168.1.1.53: 56618+[|domain] > > 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1= a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp] > > 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 74.= 6.168.73.123: NTPv4, Client, length 48 > > 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > 9= 6.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1460,nop,= wscale 6,sackOK,TS[|tcp]> > > 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > 1= 92.168.1.1.53: 30468+[|domain] > > 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > 1= 92.168.1.1.53: 3978+[|domain] > > 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1= a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp] > > 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > 9= 6.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1460,nop,= wscale 6,sackOK,TS[|tcp]> > > 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > 1= 92.168.1.1.53: 2366+[|domain] > > 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > 1= 92.168.1.1.53: 41713+[|domain] > > 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1= a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp] > > 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > 9= 6.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 1460,nop,w= scale 6,sackOK,TS[|tcp]> > > $ > > > > I have no idea how to interpret this. Any help would be appreciated. > > That is quite unexpected. The connection starts out with IPv4 and then s= witches to IPv6. It also only shows the output packets so delays caused at= the server end cannot be distinguished. I would recommend using tcpdump t= o see the entire transaction. > > In one window, start tcpdump with: > tcpdump -ixxx -ttt -s0 -X port 80 > > Here you need to replace xxx above with your interface name. You can fin= d it in the output of ifconfig. It will be the interface that has your IP = address in it. For example, mine is: > > bge0: flags=3D8943 metric= 0 mtu 1500 > options=3Dc019b > ether 38:c9:86:07:3b:5b > inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255 > inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x1 > inet6 fee1::250 prefixlen 64 > media: Ethernet autoselect (100baseTX ) > status: active > nd6 options=3D23 > > and the interface name is bge0. > > Then in the second window start the pkg update command. Note, tcpdump wi= ll produce a lot of output. The output will have a time stamp (hours:minut= es:seconds.microseconds). It will be a delta time from the previous packet= . Look for one where the seconds are greater than zero. That is where the= delays are occurring. > > -- Doug From owner-freebsd-pf@freebsd.org Thu May 28 01:20:25 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8729A2F5C18 for ; Thu, 28 May 2020 01:20:25 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XVHr2dRfz4Vny for ; Thu, 28 May 2020 01:20:24 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 583F57E3; Wed, 27 May 2020 21:20:22 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 21:20:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm3; bh=towPq f8Dxz+qrgodzSzZKjpxtfdT1AOEnbwEoLNtRkw=; b=j1YKv9rQFVG/lMH0fA8C8 cTJxPj1QBdcVoy3VfHP46d/fjX3Gbqc8v859FbI/elXGI/wBclmTutLUrOX+M3xm qDbacf1ye7K7/NU3surEYWifnMP2nB8S2I8izFKNhA8dst6vDweqxIazt3eCI0oq ZFTc3QschMEJqE2DjV4z8gNg+3OVVojDSVnxTnbk5JdB6hLwAQaKhKAUIl1xOfio ukNDgMAWbg/Pa8b+0tGKeNCnAf3HHw6+HHIX1Q/opr4MLjl2fTxDE61ReKJ2Urk9 glzObdcqLIly5Z5UEUukpfkgtRhtOdyf1i8Tj2ZH+yG8nZIRcAonRo7XHPNLk2H0 A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=towPqf8Dxz+qrgodzSzZKjpxtfdT1AOEnbwEoLNtR kw=; b=pkyt4O2jPNj0EmBvj4IvjM5hTVqqVQgsENDqsHGq48cih+4wjVvyIVQe+ jIJ0wTXfqlKquFNp16LuUbRf9WxkBm/jLmzpCx2gOx0mw5mdkEeNOG9AnFDG3QO/ d2V4cqldFoISxsZpxctZaG+m/pBk8LTzeH8KYQiTCD80MiAUkvwp7o3kBflmtIbS wuZDsCQ54rbcowDPfRPN3vjpxSUGr1gR7rKNzGsZJRLGzjo1nNvqFb0hAnsTbLME wfyXdZg40HIht0QU2stFpHwru06CbdYMiaSyIArw2pus6FcOYF9k+ZU2Q8Z/FdTq TdwOKfhvl3lA0MxyjfHgXYJ19Arig== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvhedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffho nhgrlhguucfoihgtkhhunhgrshdfuceoughmihgtkhhunhgrshduleehgeesfhgrshhtmh grihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeduleeggedtkeeuhfelheeugeeufefh feegffdvffehkeekkeeigeeitdfffeehffenucffohhmrghinheptghonhhfrdihohhupd hfrhgvvggsshgurdhorhhgpdhmihgtrhhoshgvtghonhgushdrihhtnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughmihgtkhhunhgrshdule ehgeesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id B02E43C00A1; Wed, 27 May 2020 21:20:21 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <78769a64-ecef-4109-8bb2-d494590084e6@www.fastmail.com> In-Reply-To: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> Date: Wed, 27 May 2020 21:19:18 -0400 From: "Donald Mickunas" To: "Cristian Cardoso" , "Doug Hardie" Cc: "FreeBSD PF List" Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XVHr2dRfz4Vny X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=j1YKv9rQ; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=pkyt4O2j; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 64.147.123.19 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-2.59 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[64.147.123.19:from]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-0.47)[-0.466]; FREEMAIL_TO(0.00)[gmail.com,lafn.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.038]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-0.998]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2020 01:20:25 -0000 Thank you Doug and Cristian for all your help. I found the solution based on something Doug said about seeing a request= in IPv6. I decided to try something I found in Absolute Freebsd pg 356= . =20 "I've been on more than one network that has better IPv6 connectivity th= an IPv4, or the other way. Direct pkg to use one network protocol or th= e other with the IP_VERSION setting in pkg.conf. You can set this to 4,= 6 or let the host autoselect with the default of 0." When I set it to 4, my problem disappeared. Thank you Cristian for the site. I will make good use of it. Regards, Don Mickunas On Wed, May 27, 2020, at 20:36, Cristian Cardoso wrote: > I reinforce Doug's recommendation and if you want to log the things > that are possibly blocked, insert it in pf.conf >=20 > block in log all >=20 > About what Doug talked about starting the connection in IPv4 and > switching to IPv6, it is only the DNS request in IPv4 that is managing= > to answer the domain update.freebsd.org in IPv6, with that the pkg > requests come out via IPv6 >=20 > One thing that helped me a lot in the beginning was this URL: > https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5&n=3D1 >=20 > Em qua., 27 de mai. de 2020 =C3=A0s 19:18, Doug Hardie escreveu: > > > > > On 27 May 2020, at 14:38, Donald Mickunas wrote: > > > > > > Thanks, Doug. > > > > > > Here are the results after running pkg update once. > > > > > > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > > > Password: > > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog f= ile) > > > 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.2533= 4 > 192.168.1.1.53: 18844+[|domain] > > > 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.4885= 5 > 192.168.1.1.53: 59873+[|domain] > > > 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 209.94.190.139.123: NTPv4, Client, length 48 > > > 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 64.6.144.6.123: NTPv4, Client, length 48 > > > 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.5171= 8 > 192.168.1.1.53: 49030+[|domain] > > > 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.1222= 8 > 192.168.1.1.53: 15101+[|domain] > > > 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.3165= 2 > 192.168.1.1.53: 56618+[|domain] > > > 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 74.6.168.73.123: NTPv4, Client, length 48 > > > 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.1291= 3 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.1140= 3 > 192.168.1.1.53: 30468+[|domain] > > > 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.2714= 5 > 192.168.1.1.53: 3978+[|domain] > > > 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.5849= 7 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.1524= 8 > 192.168.1.1.53: 2366+[|domain] > > > 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.6547= 5 > 192.168.1.1.53: 41713+[|domain] > > > 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.2503= 9 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 14= 60,nop,wscale 6,sackOK,TS[|tcp]> > > > $ > > > > > > I have no idea how to interpret this. Any help would be appreciat= ed. > > > > That is quite unexpected. The connection starts out with IPv4 and t= hen switches to IPv6. It also only shows the output packets so delays c= aused at the server end cannot be distinguished. I would recommend usin= g tcpdump to see the entire transaction. > > > > In one window, start tcpdump with: > > tcpdump -ixxx -ttt -s0 -X port 80 > > > > Here you need to replace xxx above with your interface name. You ca= n find it in the output of ifconfig. It will be the interface that has = your IP address in it. For example, mine is: > > > > bge0: flags=3D8943 m= etric 0 mtu 1500 > > options=3Dc019b > > ether 38:c9:86:07:3b:5b > > inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255 > > inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x= 1 > > inet6 fee1::250 prefixlen 64 > > media: Ethernet autoselect (100baseTX ) > > status: active > > nd6 options=3D23 > > > > and the interface name is bge0. > > > > Then in the second window start the pkg update command. Note, tcpdu= mp will produce a lot of output. The output will have a time stamp (hou= rs:minutes:seconds.microseconds). It will be a delta time from the prev= ious packet. Look for one where the seconds are greater than zero. Tha= t is where the delays are occurring. > > > > -- Doug > From owner-freebsd-pf@freebsd.org Thu May 28 01:22:55 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7AD922F5F72 for ; Thu, 28 May 2020 01:22:55 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XVLk5JvQz4WNs for ; Thu, 28 May 2020 01:22:54 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7FA7F7C7; Wed, 27 May 2020 21:22:53 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 21:22:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm3; bh=Z+c23 F3V8EwkrWHWBFP9Kuv5cZN73vulz4VgbaWs9qU=; b=RiDVgV71WxRCrh31lyXzm 3RUXmSAdS23c56UFPl9OqcUmT9pnVGdyhCSUFmkcdlpqIxDWJoKyPpUNCdCDmdzV 2hJERpD0SZRRGq1Gh/aDOevqjhkrx5qr8KBO/aA+KDj2O0ThyVu+c5Vf3lxKOYoa assLmZnHdXlzdYflTsiEHbOJxs5SQUDt/5VPINKbuEVYvfVHPOLBF1z1DJrRye19 t0lowVFz7TPjkqewLxlIGmAl03OQhIQB0dTFoHNAo9xFgvioJhceYTubxpKzU3ir uSP/4ZBeRPHzGqQ7k6IggkVGSDKEsNK3iDH4gQE/05QqoL/ORz2i/ECy7NvAqpR9 g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Z+c23F3V8EwkrWHWBFP9Kuv5cZN73vulz4VgbaWs9 qU=; b=0WTOiChk35ip6COolYNT5YP+WGftP5tDF1Hsu3zxfSEoDXgmpK7WqHisc 5CDE+TaHlNxL2I3fbotpe8vErJXHGeyvNzz5wUO7JmT6nVISUdrU7sKqKRpdI6Uv CtPd3LazmwuI7kRBIIMXSxsfbMYJOtB6z73fFJJMISTmSQjTJsiFbe+UnGV93vnd YkvZVYW3IDAzvGw1R1Xzqtew+WYDkBvn97zCYropiRYJUUiCFYOlqgPHKMbplw25 ZJXJaGL6XbHmzP0Lnux3xI02nZ0Vu2Zjm8ET7gsOwF1u8C65x3bMgpK/S63fXxUW RlriFCUzheO72Zg3b7c0P+T4eTR0Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvhedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffho nhgrlhguucfoihgtkhhunhgrshdfuceoughmihgtkhhunhgrshduleehgeesfhgrshhtmh grihhlrdgtohhmqeenucggtffrrghtthgvrhhnpefgveeuffehuedvffegheekgedtgfej keefhffgfeetffejhedtueegfeduieejueenucffohhmrghinhepfhhrvggvsghsugdroh hrghdpmhhitghrohhsvggtohhnughsrdhithenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpegumhhitghkuhhnrghsudelheegsehfrghsthhmrg hilhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id E0BD53C00A1; Wed, 27 May 2020 21:22:52 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <0845d793-2c53-4433-b7a4-a6ca185575c6@www.fastmail.com> In-Reply-To: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> Date: Wed, 27 May 2020 21:22:32 -0400 From: "Donald Mickunas" To: "Cristian Cardoso" , "Doug Hardie" Cc: "FreeBSD PF List" Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XVLk5JvQz4WNs X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=RiDVgV71; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=0WTOiChk; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 64.147.123.19 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-2.59 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[64.147.123.19:from]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19:c]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-0.47)[-0.467]; FREEMAIL_TO(0.00)[gmail.com,lafn.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.037]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-0.998]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2020 01:22:55 -0000 Just a note. I have the manpage for pkg.conf printed and in a binder. = Thanks again. On Wed, May 27, 2020, at 20:36, Cristian Cardoso wrote: > I reinforce Doug's recommendation and if you want to log the things > that are possibly blocked, insert it in pf.conf >=20 > block in log all >=20 > About what Doug talked about starting the connection in IPv4 and > switching to IPv6, it is only the DNS request in IPv4 that is managing= > to answer the domain update.freebsd.org in IPv6, with that the pkg > requests come out via IPv6 >=20 > One thing that helped me a lot in the beginning was this URL: > https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5&n=3D1 >=20 > Em qua., 27 de mai. de 2020 =C3=A0s 19:18, Doug Hardie escreveu: > > > > > On 27 May 2020, at 14:38, Donald Mickunas wrote: > > > > > > Thanks, Doug. > > > > > > Here are the results after running pkg update once. > > > > > > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > > > Password: > > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog f= ile) > > > 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.2533= 4 > 192.168.1.1.53: 18844+[|domain] > > > 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.4885= 5 > 192.168.1.1.53: 59873+[|domain] > > > 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 209.94.190.139.123: NTPv4, Client, length 48 > > > 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 64.6.144.6.123: NTPv4, Client, length 48 > > > 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.5171= 8 > 192.168.1.1.53: 49030+[|domain] > > > 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.1222= 8 > 192.168.1.1.53: 15101+[|domain] > > > 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.3165= 2 > 192.168.1.1.53: 56618+[|domain] > > > 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 74.6.168.73.123: NTPv4, Client, length 48 > > > 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.1291= 3 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.1140= 3 > 192.168.1.1.53: 30468+[|domain] > > > 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.2714= 5 > 192.168.1.1.53: 3978+[|domain] > > > 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.5849= 7 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.1524= 8 > 192.168.1.1.53: 2366+[|domain] > > > 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.6547= 5 > 192.168.1.1.53: 41713+[|domain] > > > 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.2503= 9 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 14= 60,nop,wscale 6,sackOK,TS[|tcp]> > > > $ > > > > > > I have no idea how to interpret this. Any help would be appreciat= ed. > > > > That is quite unexpected. The connection starts out with IPv4 and t= hen switches to IPv6. It also only shows the output packets so delays c= aused at the server end cannot be distinguished. I would recommend usin= g tcpdump to see the entire transaction. > > > > In one window, start tcpdump with: > > tcpdump -ixxx -ttt -s0 -X port 80 > > > > Here you need to replace xxx above with your interface name. You ca= n find it in the output of ifconfig. It will be the interface that has = your IP address in it. For example, mine is: > > > > bge0: flags=3D8943 m= etric 0 mtu 1500 > > options=3Dc019b > > ether 38:c9:86:07:3b:5b > > inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255 > > inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x= 1 > > inet6 fee1::250 prefixlen 64 > > media: Ethernet autoselect (100baseTX ) > > status: active > > nd6 options=3D23 > > > > and the interface name is bge0. > > > > Then in the second window start the pkg update command. Note, tcpdu= mp will produce a lot of output. The output will have a time stamp (hou= rs:minutes:seconds.microseconds). It will be a delta time from the prev= ious packet. Look for one where the seconds are greater than zero. Tha= t is where the delays are occurring. > > > > -- Doug >