From owner-freebsd-pf@freebsd.org  Wed May 27 22:18:29 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3933C2F13CD
 for <freebsd-pf@mailman.nyi.freebsd.org>; Wed, 27 May 2020 22:18:29 +0000 (UTC)
 (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148])
 by mx1.freebsd.org (Postfix) with ESMTP id 49XQFw489Zz4G4T
 for <freebsd-pf@freebsd.org>; Wed, 27 May 2020 22:18:28 +0000 (UTC)
 (envelope-from SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from [10.0.1.251] (mini [10.0.1.251])
 by mail.sermon-archive.info (Postfix) with ESMTPSA id 49XQFv4ctdz2fjWG;
 Wed, 27 May 2020 15:18:27 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Subject: Re: pkg slow down a lot with simple firewall.
From: Doug Hardie <bc979@lafn.org>
In-Reply-To: <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com>
Date: Wed, 27 May 2020 15:18:27 -0700
Cc: Cristian Cardoso <cristian.cardoso11@gmail.com>,
 FreeBSD PF List <freebsd-pf@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1A56113-CB15-40EF-A398-2DCE4EF900AF@mail.sermon-archive.info>
References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com>
 <CAKeEC-L1PTNU4Wr09rspFf7xkn1zE_+hghM7k6j9+baZ3ObT-g@mail.gmail.com>
 <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com>
 <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info>
 <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com>
To: Donald Mickunas <dmickunas1954@fastmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-Virus-Scanned: clamav-milter 0.101.4 at mail
X-Virus-Status: Clean
X-Rspamd-Queue-Id: 49XQFw489Zz4G4T
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of
 SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info designates
 71.177.216.148 as permitted sender)
 smtp.mailfrom=SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info
X-Spamd-Result: default: False [-1.63 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 NEURAL_HAM_MEDIUM(-0.93)[-0.931]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip4:71.177.216.148:c]; MV_CASE(0.50)[];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[lafn.org: no valid DMARC record];
 FORGED_SENDER(0.30)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info];
 NEURAL_HAM_LONG(-0.97)[-0.973]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.33)[-0.328];
 FREEMAIL_TO(0.00)[fastmail.com]; RCVD_NO_TLS_LAST(0.10)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US];
 FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,SRS0=poYH=7J=mail.sermon-archive.info=doug@sermon-archive.info];
 FREEMAIL_CC(0.00)[gmail.com,freebsd.org]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 22:18:29 -0000

> On 27 May 2020, at 14:38, Donald Mickunas <dmickunas1954@fastmail.com> =
wrote:
>=20
> Thanks, Doug.
>=20
> Here are the results after running pkg update once.
>=20
> $ sudo tcpdump -n -e -ttt -r /var/log/pflog
> Password:
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.25334 > =
192.168.1.1.53: 18844+[|domain]
> 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.48855 > =
192.168.1.1.53: 59873+[|domain]
> 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 > =
209.94.190.139.123: NTPv4, Client, length 48
> 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 > =
64.6.144.6.123: NTPv4, Client, length 48
> 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.51718 > =
192.168.1.1.53: 49030+[|domain]
> 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.12228 > =
192.168.1.1.53: 15101+[|domain]
> 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.31652 > =
192.168.1.1.53: 56618+[|domain]
> 00:00:00.136933 rule 3/0(match): pass out on em0: =
2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.60802 > =
2610:1c1:1:606c::50:1.80: [|tcp]
> 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 > =
74.6.168.73.123: NTPv4, Client, length 48
> 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.12913 > =
96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss =
1460,nop,wscale 6,sackOK,TS[|tcp]>
> 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.11403 > =
192.168.1.1.53: 30468+[|domain]
> 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.27145 > =
192.168.1.1.53: 3978+[|domain]
> 00:00:00.000739 rule 3/0(match): pass out on em0: =
2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.64864 > =
2610:1c1:1:606c::50:1.80: [|tcp]
> 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.58497 > =
96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss =
1460,nop,wscale 6,sackOK,TS[|tcp]>
> 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.15248 > =
192.168.1.1.53: 2366+[|domain]
> 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.65475 > =
192.168.1.1.53: 41713+[|domain]
> 00:00:00.000772 rule 3/0(match): pass out on em0: =
2600:6c5c:6000:32a0:1a03:73ff:fe3a:d596.55684 > =
2610:1c1:1:606c::50:1.80: [|tcp]
> 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.25039 > =
96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss =
1460,nop,wscale 6,sackOK,TS[|tcp]>
> $=20
>=20
> I have no idea how to interpret this.  Any help would be appreciated.

That is quite unexpected.  The connection starts out with IPv4 and then =
switches to IPv6.  It also only shows the output packets so delays =
caused at the server end cannot be distinguished.  I would recommend =
using tcpdump to see the entire transaction.=20

In one window, start tcpdump with:
	tcpdump -ixxx -ttt -s0 -X port 80

Here you need to replace xxx above with your interface name.  You can =
find it in the output of ifconfig.  It will be the interface that has =
your IP address in it. For example, mine is:

bge0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> =
metric 0 mtu 1500
	=
options=3Dc019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLA=
N_HWTSO,LINKSTATE>
	ether 38:c9:86:07:3b:5b
	inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255
	inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x1
	inet6 fee1::250 prefixlen 64
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	nd6 options=3D23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

and the interface name is bge0.

Then in the second window start the pkg update command.  Note, tcpdump =
will produce a lot of output.  The output will have a time stamp =
(hours:minutes:seconds.microseconds).  It will be a delta time from the =
previous packet.  Look for one where the seconds are greater than zero.  =
That is where the delays are occurring. =20

-- Doug=