From owner-freebsd-pf@freebsd.org  Wed May 27 21:38:22 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1FF3C2F0428
 for <freebsd-pf@mailman.nyi.freebsd.org>; Wed, 27 May 2020 21:38:22 +0000 (UTC)
 (envelope-from dmickunas1954@fastmail.com)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 49XPMd40Wcz4BhB
 for <freebsd-pf@freebsd.org>; Wed, 27 May 2020 21:38:21 +0000 (UTC)
 (envelope-from dmickunas1954@fastmail.com)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 3BCA15C012D;
 Wed, 27 May 2020 17:38:21 -0400 (EDT)
Received: from imap4 ([10.202.2.54])
 by compute3.internal (MEProxy); Wed, 27 May 2020 17:38:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 mime-version:message-id:in-reply-to:references:date:from:to:cc
 :subject:content-type; s=fm3; bh=dcZYsTkERdoY8vFhHJfuiwXijzCMNvn
 h3JNxd8ExSFM=; b=BuS1BxJQS2Zl+Ah7X4lOI/0OJyOhZdSga+Yl++aaXRzbqsh
 OGXrK6OWlEcqZ6H7XGWyLV8DLn5LcCDmoNOaBpF/nP2bOydUbgOwezOogQ5MMRzW
 Qqt+X9oA9wb/uGMJdqtuWg+Uzyx9o7ak6Hms7LoNnP3KQQmlO9GwDFGVm7OTmo5e
 aut/b8HC3VXNCIknUVHdpCU6CTnVA9WZ8Z+WDRo7Cg7Rc6ms3WQd8zQt06Ldmn1G
 MDoS2PqXn8XEVirf/1hzQdyRdnvfds2KzVHDdecl7skiaNadkbp84uw8VkpgXEt2
 w54rVVnOBg00pGsAlrgAowhtwJjaT8qKyOQ1q9Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=dcZYsT
 kERdoY8vFhHJfuiwXijzCMNvnh3JNxd8ExSFM=; b=W8SrgECWbredoNTmq4eeZ+
 5lCCrbmizOB2put2kAlfdQ18bUXcL0j174wtXW63e7os46wIkUyNDw9cm7u+x9ER
 HQakm5u1KuNhTnTrJy2ksTqyggeJnChtXrlXF0QpWbbu7f24RP0RqfdF9zygStN1
 Yslr/eUYg8AdnQ3pzzixkD6UfyyIRkxi5n+78pXK0NR0+4f6/m5OU0P9wJxn6RXz
 VhPcRN4HEOiJnO+Hvz3/OjCUryTxrW1UmqJTKlu5CiYUOiYHy9sRxe0NKx+YN3uv
 Osfep444Bic2aUW44hVTohD2lYzA8E8JrbC/NjIOlWlS88PZ6neVmJ/WtlYWfGkw
 ==
X-ME-Sender: <xms:zd3OXoOkFlS5Mr0VWN_SCfKCED-DB3fkzXlNZDv7TIfPZPKR-4idwA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvhecutefuodetggdotefrodftvfcurf
 hrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecuuegr
 ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
 hrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffhonhgrlhgu
 ucfoihgtkhhunhgrshdfuceoughmihgtkhhunhgrshduleehgeesfhgrshhtmhgrihhlrd
 gtohhmqeenucggtffrrghtthgvrhhnpeeukefgkedufeejiedvudeuhfefveelteduleeu
 gfeludetueetffevveeiteetieenucffohhmrghinheptghonhhfrdgtrghtnecuvehluh
 hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughmihgtkhhunhgr
 shduleehgeesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:zd3OXu_ZK7CNIoWdvKWoHjHr1t1Ts5Wc7zLPNRDIBiedXaIkRYjQkg>
 <xmx:zd3OXvTcLIqAlv-GfECk_QHrYxIvnlADLAX_tKSljGPBswxROo6HiA>
 <xmx:zd3OXgu4cLFwOBcGqg3YmskxAzHBTlJX2Uh0K_5VbRzskuVhb983Pg>
 <xmx:zd3OXqq7UVIG0gALgIz39HYPHDtSA4qoEM_2mfJ2JYBPVlGmfCd7zA>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id F26CF3C00A1; Wed, 27 May 2020 17:38:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48
Mime-Version: 1.0
Message-Id: <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com>
In-Reply-To: <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info>
References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com>
 <CAKeEC-L1PTNU4Wr09rspFf7xkn1zE_+hghM7k6j9+baZ3ObT-g@mail.gmail.com>
 <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com>
 <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info>
Date: Wed, 27 May 2020 17:38:00 -0400
From: "Donald Mickunas" <dmickunas1954@fastmail.com>
To: "Doug Hardie" <bc979@lafn.org>
Cc: "Cristian Cardoso" <cristian.cardoso11@gmail.com>, freebsd-pf@freebsd.org
Subject: Re: pkg slow down a lot with simple firewall.
Content-Type: text/plain
X-Rspamd-Queue-Id: 49XPMd40Wcz4BhB
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=fastmail.com header.s=fm3 header.b=BuS1BxJQ;
 dkim=pass header.d=messagingengine.com header.s=fm2 header.b=W8SrgECW;
 dmarc=pass (policy=none) header.from=fastmail.com;
 spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates
 66.111.4.25 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com
X-Spamd-Result: default: False [-3.39 / 15.00]; XM_UA_NO_VERSION(0.01)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25:c];
 FREEMAIL_FROM(0.00)[fastmail.com];
 RWL_MAILSPIKE_GOOD(0.00)[66.111.4.25:from]; MV_CASE(0.50)[];
 RCVD_COUNT_THREE(0.00)[4];
 DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+];
 DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none];
 NEURAL_HAM_SHORT(-1.25)[-1.246]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[fastmail.com];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.05)[-1.049];
 R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_HAM_LONG(-1.01)[-1.008]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 FREEMAIL_CC(0.00)[gmail.com,freebsd.org]; MID_RHS_WWW(0.50)[]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 21:38:22 -0000

Thanks, Doug.

Here are the results after running pkg update once.

$ sudo tcpdump -n -e -ttt -r /var/log/pflog
Password:
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > 192.168.1.1.53: 18844+[|domain]
 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > 192.168.1.1.53: 59873+[|domain]
 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 209.94.190.139.123: NTPv4, Client, length 48
 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 64.6.144.6.123: NTPv4, Client, length 48
 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > 192.168.1.1.53: 49030+[|domain]
 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > 192.168.1.1.53: 15101+[|domain]
 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > 192.168.1.1.53: 56618+[|domain]
 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp]
 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > 74.6.168.73.123: NTPv4, Client, length 48
 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > 192.168.1.1.53: 30468+[|domain]
 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > 192.168.1.1.53: 3978+[|domain]
 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp]
 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > 192.168.1.1.53: 2366+[|domain]
 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > 192.168.1.1.53: 41713+[|domain]
 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp]
 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
$ 

I have no idea how to interpret this.  Any help would be appreciated.

On Wed, May 27, 2020, at 17:24, Doug Hardie wrote:
> > On 27 May 2020, at 14:16, Donald Mickunas <dmickunas1954@fastmail.com> wrote:
> > 
> > Thank you for you suggestion, Cristian.
> > 
> > I have implemented your suggestion with unexpected results.  Note: I did reboot the system after I changed rc.conf.
> > 
> > $ cat /etc/pf.conf
> > set skip on lo0
> > block all
> > pass in proto tcp to port { 22 }
> > pass out proto { tcp udp } to port { 22 53 80 123 443 }
> > pass out inet proto icmp icmp-type { echoreq }
> > 
> > $ sudo tcpdump -n -e -ttt -r /var/log/pflog
> > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> > $ 
> > 
> > no output.  Did I miss something?
> 
> You do not have an "log" commands in pf.conf.  Add a "log" after "in" 
> or "out" on each pass line.  Then pf will do the logging.
> 
> -- Doug
> 
> 
>