From owner-freebsd-pf@freebsd.org Wed May 27 21:17:24 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D5A392CF858 for ; Wed, 27 May 2020 21:17:24 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XNvR6Mp7z496J for ; Wed, 27 May 2020 21:17:23 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id C1AD45C00D7; Wed, 27 May 2020 17:17:22 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 17:17:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm3; bh=vxfPX WrtHXWP8q2qoM0HnMOiWpyt1OTvQ6M3VpTSINA=; b=T+ACP3e2HO5NRAyx5AWpC 9CbgC9V5xogbwii0Z/UMPdCtEAjI6Wi5KVOyFE945Xy0vV6pJWMZNhREPy/dXoRj lYEaqgXGGDo09LIP420x0vrS2LqR1BFPGLWFhdaql1cHpKMw09iolXooClP5FXat GQddA7CMhOwT3jLwYaqIRwGBz3Wq0QpVMVh2lXZph8Ze5IQPbegrTmHQl89Gl7qr BU/EuxsiN0RELhwvuE3pXFTTM1Q6J25uvdS99vOwlcGiHvrS0an8OtE9vO5rxNai pyYIfFPtG5cjqhOEB7j5b40L7J7UmkJ5mqvtjXr1AcekkUDYMGVQYJINWAYu3AWk Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=vxfPXWrtHXWP8q2qoM0HnMOiWpyt1OTvQ6M3VpTSI NA=; b=GzKK2HQGjg5cc44nbeAzPFNvF9WwvoAPQ2uGZaboQhKQK4mRAufvZoHpS EgtOp8LuHBNb/Tg0lXZ+E7uQL5xTHHjZfda/KAiDMz7ENsO8yMVnkRt7P9FuemzG /RyRpEfsAxljYSEtlIPh7/xn90ZmUKs004gw5Q2l0hthYBDnZAQZtIwsMP2QR/30 jBR9YHQZSlhi1lxFz826WW/FM/ZOM18X1zDogGmIUNEFm17+pSIxFaqHbwvOu3LQ jEta5JuA+oQZjRfBYvajGMDevg60SBp6Qgi79WdlkG6v0FIBJ+OnyefjFzLnkPSE 0eAI+Ms+f58/+v+G3Lh+1cZ/AZ83g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvgedgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdff ohhnrghlugcuofhitghkuhhnrghsfdcuoegumhhitghkuhhnrghsudelheegsehfrghsth hmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepfeekhfdttedvfeegfedutdetleef tedtgffhffeihfevudfgffeukedvgeffjeeunecuffhomhgrihhnpegtohhnfhdrtggrth dpfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep mhgrihhlfhhrohhmpegumhhitghkuhhnrghsudelheegsehfrghsthhmrghilhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9200E3C00A1; Wed, 27 May 2020 17:17:22 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> In-Reply-To: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> Date: Wed, 27 May 2020 17:16:58 -0400 From: "Donald Mickunas" To: "Cristian Cardoso" Cc: freebsd-pf@freebsd.org Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XNvR6Mp7z496J X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=T+ACP3e2; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=GzKK2HQG; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 66.111.4.25 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-3.49 / 15.00]; XM_UA_NO_VERSION(0.01)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.25:from]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-1.36)[-1.359]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.045]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.994]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2020 21:17:24 -0000 Thank you for you suggestion, Cristian. I have implemented your suggestion with unexpected results. Note: I did= reboot the system after I changed rc.conf. $ cat /etc/rc.conf clear_tmp_enable=3D"YES" sendmail_enable=3D"NONE" hostname=3D"donsoptiplex" keymap=3D"us.kbd" ifconfig_em0=3D"DHCP" ifconfig_em0_ipv6=3D"inet6 accept_rtadv" ntpd_enable=3D"YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev=3D"NO" dbus_enable=3D"YES" hald_enable=3D"YES" autofs_enable=3D"YES" kld_list=3D"/boot/modules/i915kms.ko" sound_load=3D"YES" snda_hda_load=3D"YES" sddm_enable=3D"NO" cupsd_enable=3D"YES" devfs_system_ruleset=3D"system" pf_enable=3D"YES" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" $ cat /etc/pf.conf set skip on lo0 block all pass in proto tcp to port { 22 } pass out proto { tcp udp } to port { 22 53 80 123 443 } pass out inet proto icmp icmp-type { echoreq } $ ls -l /var/log/pflog -rw------- 1 root wheel 24 May 25 21:51 /var/log/pflog $ sudo pkg update Password: Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. $ sudo pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. $ sudo tcdump -n -e -ttt -r /var/log/pflog sudo: tcdump: command not found $ sudo tcpdump -n -e -ttt -r /var/log/pflog reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) $=20 no output. Did I miss something? Thanks On Wed, May 27, 2020, at 16:22, Cristian Cardoso wrote: > Hello > Try to activate pf logs to see what is blocking or slowing you down, > insert this in the /etc/rc.conf file > pflog_enable =3D "YES" > pflog_logfile =3D "/ var / log / pflog" >=20 > To view the logs afterwards is via tcpdump, as follows: > tcpdump -n -e -ttt -r / var / log / pflog >=20 > Em qua., 27 de mai. de 2020 =C3=A0s 16:23, Donald Mickunas > escreveu: > > > > Hi all, > > > > I am new to firewalls and trying to learn. I am attempting to set up= a pf firewall on FreeBSD 12.1-RELEASE-p5. This is a home computer for p= ersonal use and is not part of a server network. "pkg update" will take = a minute or more to complete a verification that it is up to date with t= he firewall on vs. seconds when the firewall is off. I can find no reaso= n for this. I have done a variety of searches online plus in the various= forums with zero results. Any ideas? > > > > This is a simple firewall. > > Here is my set up: > > > > */etc/pf.conf* > > > > set skip on lo0 > > block all > > pass in proto tcp to port { 22 } > > pass out proto { tcp udp } to port { 22 53 80 123 443 } > > pass out inet proto icmp icmp-type { echoreq } > > > > > > */etc/rc.conf* > > > > clear_tmp_enable=3D"YES" > > sendmail_enable=3D"NONE" > > hostname=3D"donsoptiplex" > > keymap=3D"us.kbd" > > ifconfig_em0=3D"DHCP" > > ifconfig_em0_ipv6=3D"inet6 accept_rtadv" > > ntpd_enable=3D"YES" > > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > > dumpdev=3D"NO" > > dbus_enable=3D"YES" > > hald_enable=3D"YES" > > autofs_enable=3D"YES" > > kld_list=3D"/boot/modules/i915kms.ko" > > sound_load=3D"YES" > > snda_hda_load=3D"YES" > > sddm_enable=3D"NO" > > cupsd_enable=3D"YES" > > devfs_system_ruleset=3D"system" > > pf_enable=3D"YES" > > pflog_enable=3D"YES" > > > > Thanks!! > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org= " >