Date: Wed, 27 May 2020 17:38:00 -0400 From: "Donald Mickunas" <dmickunas1954@fastmail.com> To: "Doug Hardie" <bc979@lafn.org> Cc: "Cristian Cardoso" <cristian.cardoso11@gmail.com>, freebsd-pf@freebsd.org Subject: Re: pkg slow down a lot with simple firewall. Message-ID: <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> In-Reply-To: <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <CAKeEC-L1PTNU4Wr09rspFf7xkn1zE_%2BhghM7k6j9%2BbaZ3ObT-g@mail.gmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, Doug.
Here are the results after running pkg update once.
$ sudo tcpdump -n -e -ttt -r /var/log/pflog
Password:
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > 192.168.1.1.53: 18844+[|domain]
00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > 192.168.1.1.53: 59873+[|domain]
00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 209.94.190.139.123: NTPv4, Client, length 48
00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 64.6.144.6.123: NTPv4, Client, length 48
00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > 192.168.1.1.53: 49030+[|domain]
00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > 192.168.1.1.53: 15101+[|domain]
00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > 192.168.1.1.53: 56618+[|domain]
00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp]
00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 74.6.168.73.123: NTPv4, Client, length 48
00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > 192.168.1.1.53: 30468+[|domain]
00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > 192.168.1.1.53: 3978+[|domain]
00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp]
00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > 192.168.1.1.53: 2366+[|domain]
00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > 192.168.1.1.53: 41713+[|domain]
00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp]
00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
$
I have no idea how to interpret this. Any help would be appreciated.
On Wed, May 27, 2020, at 17:24, Doug Hardie wrote:
> > On 27 May 2020, at 14:16, Donald Mickunas <dmickunas1954@fastmail.com> wrote:
> >
> > Thank you for you suggestion, Cristian.
> >
> > I have implemented your suggestion with unexpected results. Note: I did reboot the system after I changed rc.conf.
> >
> > $ cat /etc/pf.conf
> > set skip on lo0
> > block all
> > pass in proto tcp to port { 22 }
> > pass out proto { tcp udp } to port { 22 53 80 123 443 }
> > pass out inet proto icmp icmp-type { echoreq }
> >
> > $ sudo tcpdump -n -e -ttt -r /var/log/pflog
> > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> > $
> >
> > no output. Did I miss something?
>
> You do not have an "log" commands in pf.conf. Add a "log" after "in"
> or "out" on each pass line. Then pf will do the logging.
>
> -- Doug
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51ae9da1-ccbb-4a1c-b1e3-155bce912cc5>